advertisement
CLI Reference Guide
NWA/WAC Series
802.11 a/b/g/n/ac Access Point
Default Login Details
LAN IP Address
User Name
Password http://192.168.1.2
admin
1234
Version 5.00 Edition 1, 11/2016
Copyright © 2016 Zyxel Communications Corporation
IMPORTANT!
READ CAREFULLY BEFORE USE.
KEEP THIS GUIDE FOR FUTURE REFERENCE.
This is a Reference Guide for a series of products intended for people who want to configure the NWA/
WAC via Command Line Interface (CLI).
Some commands or command options in this guide may not be available in your product. See your product's User’s Guide for a list of supported features. Every effort has been made to ensure that the information in this guide is accurate.
How To Use This Guide
1
Read
Chapter 1 on page 13 for how to access and use the CLI (Command Line Interface).
2
Read
Chapter 2 on page 24 to learn about the CLI user and privilege modes.
Do not use commands not documented in this guide.
Related Documentation
• Quick Start Guide
The Quick Start Guide shows how to connect the NWA/WAC and access the Web Configurator.
• User’s Guide
The User’s Guide explains how to use the Web Configurator to configure the NWA/WAC.
It is recommended you use the Web Configurator to configure the NWA/WAC.
Contents Overview
Contents Overview
NWA/WAC Series CLI Reference Guide
3
Table of Contents
Table of Contents
4
NWA/WAC Series CLI Reference Guide
Table of Contents
NWA/WAC Series CLI Reference Guide
5
Table of Contents
6
NWA/WAC Series CLI Reference Guide
Table of Contents
NWA/WAC Series CLI Reference Guide
7
Table of Contents
8
NWA/WAC Series CLI Reference Guide
Table of Contents
NWA/WAC Series CLI Reference Guide
9
Table of Contents
10
NWA/WAC Series CLI Reference Guide
P
ART
I
Introduction
11
12
C
H A P T E R
1
Command Line Interface
This chapter describes how to access and use the CLI (Command Line Interface).
1.1 Overview
If you have problems with your NWA/WAC, customer support may request that you issue some of these commands to assist them in troubleshooting.
Use of undocumented commands or misconfiguration can damage the
NWA/WAC and possibly render it unusable.
1.1.1 The Configuration File
When you configure the NWA/WAC using either the CLI (Command Line Interface) or the web configurator, the settings are saved as a series of commands in a configuration file on the NWA/
WAC. You can store more than one configuration file on the NWA/WAC. However, only one configuration file is used at a time.
You can perform the following with a configuration file:
• Back up NWA/WAC configuration once the NWA/WAC is set up to work in your network.
• Restore NWA/WAC configuration.
• Save and edit a configuration file and upload it to multiple NWA/WACs in your network to have the same settings.
Note: You may also edit a configuration file using a text editor.
1.2 Accessing the CLI
You can access the CLI using a terminal emulation program on a computer connected to the console port, or access the NWA/WAC using Telnet or SSH (Secure SHell).
Note: The console port is not available in every model. Please check the User’s Guide or datasheet, or refer to the product page at www.zyxel.com to see if your NWA/WAC has a console port.
Note: The NWA/WAC might force you to log out of your session if reauthentication time, lease time, or idle timeout is reached. See
Chapter 6 on page 41
for more information about these settings.
NWA/WAC Series CLI Reference Guide
13
Chapter 1 Command Line Interface
1.2.1 Console Port
The default settings for the console port are as follows.
Table 1
Managing the NWA/WAC: Console Port
SETTING
Speed
Data Bits
Parity
Stop Bit
Flow Control
VALUE
115200 bps
8
None
1
Off
When you turn on your NWA/WAC, it performs several internal tests as well as line initialization.
You can view the initialization information using the console port.
• Garbled text displays if your terminal emulation program’s speed is set lower than the NWA/
WAC’s.
• No text displays if the speed is set higher than the NWA/WAC’s.
• If changing your terminal emulation program’s speed does not get anything to display, restart the
NWA/WAC.
• If restarting the NWA/WAC does not get anything to display, contact your local customer support.
Figure 1
Console Port Power-on Display
FLASH: AMD 16M
BootModule Version: V1.13 | 06/25/2010 15:05:00
DRAM: Size = 256 Mbytes
DRAM POST: Testing: 262144K
After the initialization, the login screen displays.
Figure 2
Login Screen
Welcome to NWA3160-N
Username:
Enter the user name and password at the prompts.
Note: The default login username is
admin
and password is
1234
. The username and password are case-sensitive.
1.2.2 Telnet
Use the following steps to Telnet into your NWA/WAC.
1
If your computer is connected to the NWA/WAC over the Internet, skip to the next step. Make sure your computer IP address and the NWA/WAC IP address are on the same subnet.
14
NWA/WAC Series CLI Reference Guide
Chapter 1 Command Line Interface
2
In Windows, click
Start
(usually in the bottom left corner) and
Run
. Then type telnet and the
NWA/WAC’s IP address. For example, enter telnet 192.168.1.2
(the default management IP address).
3
Click
OK
. A login screen displays. Enter the user name and password at the prompts.
Note: The default login username is
admin
and password is
1234
. The username and password are case-sensitive.
1.2.3 SSH (Secure SHell)
You can use an SSH client program to access the CLI. The following figure shows an example using a text-based SSH client program. Refer to the documentation that comes with your SSH program for information on using it.
Note: The default login username is
admin
and password is
1234
. The username and password are case-sensitive.
Figure 3
SSH Login Example
C:\>ssh2
Host key not found from database.
Key fingerprint: xolor-takel-fipef-zevit-visom-gydog-vetan-bisol-lysob-cuvun-muxex
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub
on the keyfile.
Are you sure you want to continue connecting (yes/no)?
yes
Host key saved to C:/Documents and Settings/user/Application Data/SSH/hostkeys/ ey_22_192.168.1.2.pub
host key for 192.168.1.2, accepted by user Tue Aug 09 2005 07:38:28 admin's password:
Authentication successful.
1.3 How to Find Commands in this Guide
You can simply look for the feature chapter to find commands. In addition, you can use the List of
at the end of the guide. This section lists the commands in alphabetical order that they appear in this guide.
If you are looking at the CLI Reference Guide electronically, you might have additional options (for example, bookmarks or
Find...
) as well.
1.4 How Commands Are Explained
Each chapter explains the commands for one keyword. The chapters are divided into the following sections.
NWA/WAC Series CLI Reference Guide
15
Chapter 1 Command Line Interface
1.4.1 Background Information
Note: See the User’s Guide for background information about most features.
This section provides background information about features that you cannot configure in the web configurator. In addition, this section identifies related commands in other chapters.
1.4.2 Command Input Values
This section lists common input values for the commands for the feature in one or more tables
1.4.3 Command Summary
This section lists the commands for the feature in one or more tables.
1.4.4 Command Examples
This section contains any examples for the commands in this feature.
1.4.5 Command Syntax
The following conventions are used in this User’s Guide.
• A command or keyword in courier new
must be entered literally as shown. Do not abbreviate.
• Values that you need to provide are in
italics
.
• Required fields that have multiple choices are enclosed in curly brackets
{}
.
• A range of numbers is enclosed in angle brackets
<>
.
• Optional fields are enclosed in square brackets
[]
.
• The
|
symbol means OR.
1.4.6 Changing the Password
It is highly recommended that you change the password for accessing the NWA/WAC. See
for the appropriate commands.
16
NWA/WAC Series CLI Reference Guide
Chapter 1 Command Line Interface
1.5 CLI Modes
You run CLI commands in one of several modes.
Table 2
CLI Modes
What
User
users can do
What
Limited-
Admin
users can do
What
Admin
users can do
USER
• Look at (but not run) available commands
• Look at system information (like
Status
screen)
• Run basic diagnostics
• Look at system information (like
Status
screen)
• Run basic diagnostics
How you enter it
What the prompt looks like
How you exit it
Log in to the NWA/
WAC
Router>
Type
exit
PRIVILEGE
Unable to access
SUB-COMMAND
Unable to access
• Look at system information (like
Status
screen)
• Run basic diagnostics
•
•
Look at system information (like
Status
Run basic diagnostics
Type
enable
in
User
mode
Router#
screen)
Unable to access
• Configure simple features (such as an address object)
• Create or remove complex parts
(such as an interface)
Type
configure terminal
in
User
or
Privilege
mode
Router(config)#
Unable to access
• Configure complex parts
(such as an interface) in the
NWA/WAC
Type the command used to create the specific part in
Configuration
mode
(varies by part)
Type
disable
CONFIGURATION
Unable to access
Type
exit
Router(configif-brg)#
...
Type
exit
See Chapter 6 on page 41 for more information about the user types.
User
users can only log in, look at (but not run) the available commands in
User
mode, and log out.
Limited-Admin
users can look at the configuration in the web configurator and CLI, and they can run basic diagnostics in the CLI.
Admin
users can configure the NWA/WAC in the web configurator or CLI.
At the time of writing, there is not much difference between
User
and
Privilege
mode for admin users. This is reserved for future use.
NWA/WAC Series CLI Reference Guide
17
Chapter 1 Command Line Interface
1.6 Shortcuts and Help
1.6.1 List of Available Commands
A list of valid commands can be found by typing
?
or
[TAB]
at the command prompt. To view a list of available commands within a command group, enter
<command> ?
or
<command>
[TAB]
.
Figure 4
Help: Available Commands Example 1
Router> ?
<cr> apply atse clear configure
------------------[Snip]-------------------shutdown telnet test traceroute wlan-report write
Router>
Figure 5
Help: Available Command Example 2
Router> show ?
<wlan ap interface> aaa account app-watch-dog apply arp-table
------------------[Snip]-------------------wlan-security-profile wlan-ssid-profile wtp-logging
Router> show
18
NWA/WAC Series CLI Reference Guide
Chapter 1 Command Line Interface
1.6.2 List of Sub-commands or Required User Input
To view detailed help information for a command, enter
<command> <sub command> ?
.
Figure 6
Help: Sub-command Information Example
Router(config)# ip telnet server ?
;
<cr> port rule
|
Router(config)# ip telnet server
Figure 7
Help: Required User Input Example
Router(config)# ip telnet server port ?
<1..65535>
Router(config)# ip telnet server port
1.6.3 Entering Partial Commands
The CLI does not accept partial or incomplete commands. You may enter a unique part of a command and press
[TAB]
to have the NWA/WAC automatically display the full command.
For example, if you enter
config
and press
[TAB]
, the full command of
configure
automatically displays.
If you enter a partial command that is not unique and press
[TAB]
, the NWA/WAC displays a list of commands that start with the partial command.
Figure 8
Non-Unique Partial Command Example
Router# c
[TAB] clear configure copy
Router# co
[TAB] configure copy
1.6.4 Entering a ? in a Command
Typing a
?
(question mark) usually displays help information. However, some commands allow you to input a
?
, for example as part of a string. Press [CTRL+V] on your keyboard to enter a the NWA/WAC treating it as a help query.
?
without
1.6.5 Command History
The NWA/WAC keeps a list of commands you have entered for the current CLI session. You can use any commands in the history again by pressing the up (
) or down (
) arrow key to scroll through the previously used commands and press
[ENTER]
.
NWA/WAC Series CLI Reference Guide
19
Chapter 1 Command Line Interface
1.6.6 Navigation
Press
[CTRL]+A
to move the cursor to the beginning of the line. Press
[CTRL]+E
to move the cursor to the end of the line.
1.6.7 Erase Current Command
Press
[CTRL]+U
to erase whatever you have currently typed at the prompt (before pressing
[ENTER]
).
1.6.8 The no Commands
When entering the no commands described in this document, you may not need to type the whole command. For example, with the “
[no] mss <536..1452>
” command, you use “ mss 536
” to specify the MSS value. But to disable the MSS setting, you only need to type “ no mss
” instead of “no mss
536”.
1.7 Input Values
You can use the ? or [TAB] to get more information about the next input value that is required for a command. In some cases, the next input value is a string whose length and allowable characters may not be displayed in the screen. For example, in the following example, the next input value is a string called
<description>
.
Router# configure terminal
Router(config)# interface lan
Router(config-if-brg)# description ?
<description>
The following table provides more information about input values like
<description>
.
Table 3
Input-Value Formats for Strings in CLI Commands
TAG # VALUES LEGAL VALUES
* all
1
--
*
ALL
authentication key certificate name community string connection_id contact country code
32-40
16-20
“0x” or “0X” + 32-40 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\\{}':,./<>=-
Used in MD5 authentication keys and text authentication key
0-16 alphanumeric or _-
Used in text authentication keys
0-8
1-31
0-63 alphanumeric or _alphanumeric or ;`~!@#$%^&()_+[\]{}',.=alphanumeric or .first character: alphanumeric or -
1+
1-61
0 or 2 alphanumeric or -_: alphanumeric, spaces, or '()+,/:=?;!*#@$_%-.
alphanumeric
20
NWA/WAC Series CLI Reference Guide
Chapter 1 Command Line Interface
Table 3
Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
custom signature file name description
0-30 alphanumeric or _-.
first character: letter
Used in keyword criteria for log entries
distinguished name domain name email e-mail encryption key file name filter extension fqdn full file name hostname import configuration file import shell script initial string key length license key mac address mail server fqdn name
1-64 alphanumeric, spaces, or '()+,/:=?;!*#@$_%-.
Used in other commands
1-61
1-511 alphanumeric, spaces, or '()+,/:=?;!*#@$_%alphanumeric, spaces, or .@=,_-
0+ lower-case letters, numbers, or .-
Used in ip dns server
1-248 alphanumeric or .first character: alphanumeric or -
Used in domainname, ip dhcp pool, and ip domain
1-255 alphanumeric or ._first character: alphanumeric or alphanumeric or .@_1-63
1-64
16-64
8-32
0-31
1-256 alphanumeric or .@_-
“0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;\|`~!@#$%^&*()_+\\{}':,./<>=alphanumeric or _alphanumeric, spaces, or '()+,/:=?;!*#@$_%.-
Used in ip dns server
1-253 alphanumeric or .first character: alphanumeric or -
Used in ip, time server, device HA, certificates, and interface ping check
1-255 alphanumeric or .first character: alphanumeric or -
0-256 alphanumeric or _/.-
Used in hostname command
1-64 alphanumeric or .-_ first character: alphanumeric or -
Used in other commands
1-253
1-26+”.conf” alphanumeric or .first character: alphanumeric or alphanumeric or ;`~!@#$%^&()_+[]{}',.=add “.conf” at the end
1-26+”.zysh”
1-64
--
25
--
1-31 alphanumeric or ;`~!@#$%^&()_+[]{}',.=add “.zysh” at the end alphanumeric, spaces, or '()+,/:=!*#@$_%-.&
512, 768, 1024, 1536, 2048
“S-” + 6 upper-case letters or numbers + “-” + 16 upper-case letters or numbers aa:bb:cc:dd:ee:ff (hexadecimal) lower-case letters, numbers, or -.
alphanumeric or _-
NWA/WAC Series CLI Reference Guide
21
Chapter 1 Command Line Interface
Table 3
Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
notification message password: less than 15 chars
1-81
1-15 alphanumeric, spaces, or '()+,/:=?;!*#@$_%alphanumeric or `~!@#$%^&*()_\-+={}|\;:'<,>./
password: less than 8 chars password
1-8 alphanumeric or ;/?:@&=+$\.-_!~*'()%,#$
phone number preshared key profile name proto name protocol name
Used in user and ip
1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./
Used in e-mail log profile SMTP authentication
1-63 alphanumeric or `~!@#$%^&*()_-+={}|\;:'<>./
Used in device HA synchronization
1-63 alphanumeric or ~#%^*_-={}:,.
Used in registration
6-20
1-20
16-64
1-31
1-16
1-31
1-255 alphanumeric or .@_numbers or ,+
“0x” or “0X” + 16-64 hexadecimal values alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=alphanumeric or _first character: letters or _lower-case letters, numbers, or alphanumeric or _first character: letters or _alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%,
quoted string less than
255 chars quoted string less than
63 chars quoted string
1-63
0+ alphanumeric, spaces, or ;/?:@&=+$\.-_!~*'()%
realm
1-253
0-63
2-8
1-15 alphanumeric, spaces, or punctuation marks enclosed in double quotation marks (“) must put a backslash (\) before double quotation marks that are part of input value itself alphanumeric or -_ first character: alphanumeric or -_ used in domain authentication alphanumeric or -_@$./ hexadecimal alphanumeric or -_
service name spi string less than 15 chars string: less than 63 chars string subject system type timezone
[-+]
hh url url
1-63
1+
1-61
0-2
--
1-511
“http://”+
“https://”+ alphanumeric or `~!@#$%^&*()_-+={}|\;:'<,>./ alphanumeric or -_@ alphanumeric, spaces, or '()+,./:=?;!*#@$_%hexadecimal
-12 through +12 (with or without “+”) alphanumeric or '()+,/:.=?;!*#@$_%alphanumeric or ;/?:@&=+$\.-_!~*'()%, starts with “http://” or “https://” may contain one pound sign (#)
22
NWA/WAC Series CLI Reference Guide
Chapter 1 Command Line Interface
Table 3
Input-Value Formats for Strings in CLI Commands (continued)
TAG # VALUES LEGAL VALUES
user name
1-31
username
1-31 alphanumeric or _first character: letters or _alphanumeric or _first character: alphanumeric or _domain authorization
username
6-20
user name
1+
1-80
1-15 alphanumeric or .@_registration alphanumeric or -_.
logging commands alphanumeric or .@_alphanumeric or _-
user@domainname vrrp group name: less than 15 chars week-day sequence, i.e.
1=first,2=second xauth method xauth password mac address
1
1-31
1-31
0-12 (even number)
1-4 alphanumeric or _alphanumeric or ;|`~!@#$%^&*()_+\{}':,./<>=hexadecimal for example: xx-xx-xx-xx-xx-xx
1.8 Saving Configuration Changes
Use the write
command to save the current configuration to the NWA/WAC.
Note: Always save the changes before you log out after each management session. All unsaved changes will be lost after the system restarts.
1.9 Logging Out
Enter the exit
or end command in configure mode to go to privilege mode.
Enter the exit
command in user mode or privilege mode to log out of the CLI.
NWA/WAC Series CLI Reference Guide
23
C
H A P T E R
2
User and Privilege Modes
This chapter describes how to use these two modes.
2.1 User And Privilege Modes
This is the mode you are in when you first log into the CLI. (Do not confuse ‘user mode’ with types
of user accounts the NWA/WAC uses. See Chapter 6 on page 41 for more information about the
user types. ‘User’ type accounts can only run ‘exit’ in this mode. However, they may need to log into the device in order to be authenticated for ‘user-aware’ policies, for example a firewall rule that a particular user is exempt from.)
Type ‘enable’ to go to ‘privilege mode’. No password is required. All commands can be run from here except those marked with an asterisk. Many of these commands are for trouble-shooting purposes, for example the htm (hardware test module) and debug commands. Customer support may ask you to run some of these commands and send the results if you need assistance troubleshooting your device.
For admin logins, all commands are visible in ‘user mode’ but not all can be run there. The following table displays which commands can be run in ‘user mode’. All commands can be run in ‘privilege mode’.
The htm and psm
commands are for ZyXEL’s internal manufacturing process.
Table 4
User (U) and Privilege (P) Mode Commands
COMMAND
apply atse clear configure copy daily-report debug (*) delete details diag diag-info dir
MODE
P
P
P
P
P
P
U/P
U/P
U/P
P
U/P
U/P
DESCRIPTION
Applies a configuration file.
Displays the seed code
Clears system or debug logs or DHCP binding.
Use ‘configure terminal’ to enter configuration mode.
Copies configuration files.
Sets how and where to send daily reports and what reports to send.
For support personnel only! The device needs to have the debug flag enabled.
Deletes configuration files.
Performs diagnostic commands.
Provided for support personnel to collect internal system information. It is not recommended that you use these.
Has the NWA/WAC create a new diagnostic file.
Lists files in a directory.
NWA/WAC Series CLI Reference Guide
24
Chapter 2 User and Privilege Modes
Table 4
User (U) and Privilege (P) Mode Commands (continued)
COMMAND
disable enable exit htm
MODE
U/P
U/P
U/P
U/P
DESCRIPTION
Goes from privilege mode to user mode
Goes from user mode to privilege mode
Goes to a previous mode or logs out.
Goes to htm (hardware test module) mode for testing hardware components. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting.
interface no packet-trace nslookup packet-trace ping psm
U/P
U/P
U/P
U/P
U/P
U/P
Note: These commands are for ZyXEL’s internal manufacturing process.
Dials or disconnects an interface.
Turns off packet tracing.
Resolves an IP address to a host name and vice-versa.
Performs a packet trace.
Pings an IP address or host name.
Goes to psm (product support module) mode for setting product parameters. You may need to use the htm commands if your customer support Engineer asks you to during troubleshooting. reboot release rename renew run setenv show shutdown telnet test aaa traceroute write
P
P
P
P
P
U/P
U/P
P
U/P
U/P
P
P
Note: These commands are for ZyXEL’s internal manufacturing process.
Restarts the device.
Releases DHCP information from an interface.
Renames a configuration file.
Renews DHCP information for an interface.
Runs a script.
Turns stop-on-error on (terminates booting if an error is found in a configuration file) or off (ignores configuration file errors and continues booting).
Displays command statistics. See the associated command chapter in this guide.
Writes all d data to disk and stops the system processes. It does not turn off the power.
Establishes a connection to the TCP port number 23 of the specified host name or IP address.
Tests whether the specified user name can be successfully authenticated by an external authentication server.
Traces the route to the specified host name or IP address.
Saves the current configuration to the NWA/WAC. All unsaved changes are lost after the NWA/WAC restarts.
Subsequent chapters in this guide describe the configuration commands. User/privilege mode commands that are also configuration commands (for example, ‘show’) are described in more detail in the related configuration command chapter.
2.1.1 Debug Commands
Debug commands marked with an asterisk (*) are not available when the debug flag is on and are for ZyXEL service personnel use only. The debug commands follow a syntax that is Linux-based, so
NWA/WAC Series CLI Reference Guide
25
Chapter 2 User and Privilege Modes if there is a Linux equivalent, it is displayed in this chapter for your reference. You must know a command listed here well before you use it. Otherwise, it may cause undesired results.
Table 5
Debug Commands
COMMAND SYNTAX
debug app show l7protocol (*)
DESCRIPTION
Shows app patrol protocol list
LINUX COMMAND EQUIVALENT
> cat /etc/l7_protocols/ protocol.list
debug ca (*) debug device-ha (*) debug gui (*) debug hardware (*) debug interface debug interface ifconfig debug ip dns debug logging debug manufacture debug network arpignore (*) debug policy-route (*) debug [cmdexec|corefile|ip
|kernel|mac-idrewrite|observer|switch
|system|zyinetpkt] (*)
Certificate debug commands
Device HA debug commands
Web Configurator related debug commands
Hardware debug commands
Interface debug commands
Shows system interfaces detail
DNS debug commands
System logging debug commands
Manufacturing related debug commands
Enable/Display the ignoring of ARP responses for interfaces which don't own the IP address
Policy route debug command
ZLD internal debug commands
> ifconfig [interface] cat /proc/sys/net/ipv4/conf/
*/arp_ignore
26
NWA/WAC Series CLI Reference Guide
P
ART
II
Reference
27
28
C
H A P T E R
3
Object Reference
This chapter describes how to use object reference commands.
3.1 Object Reference Commands
The object reference commands are used to see which configuration settings reference a specific object. You can use this table when you want to delete an object because you have to remove references to the object first.
Table 6
show reference
Commands
COMMAND
show reference object username
[
username
] show reference object aaa authentication [default |
profile
] show reference object ca category
{local|remote} [
cert_name
] show reference object [
wlan-radioprofile
] show reference object [
wlanmonitor-profile
] show reference object [
wlan-ssidprofile
] show reference object [
wlansecurity-profile
] show reference object [
wlanmacfilter-profile
]
DESCRIPTION
Displays which configuration settings reference the specified user object.
Displays which configuration settings reference the specified AAA authentication object.
Displays which configuration settings reference the specified authentication method object.
Displays the specified radio profile object.
Displays the specified monitor profile object.
Displays the specified SSID profile object.
Displays the specified security profile object.
Displays the specified macfilter profile object.
29
NWA/WAC Series CLI Reference Guide
Chapter 3 Object Reference
3.1.1 Object Reference Command Example
This example shows the names of the WLAN profiles and which security profile each is set to use.
Router(config)# show reference object aaa authentication default References:
Category
Rule Priority Rule Name
Description
===========================================================================
WLAN Profile SECURITY
1 default
N/A
WWW
N/A N/A
N/A
30
NWA/WAC Series CLI Reference Guide
C
H A P T E R
4
Status
This chapter explains some commands you can use to display information about the NWA/WAC’s current operational state.
Table 7
Status Show Commands
COMMAND
show boot status show cpu status show disk show extension-slot show led status show mac show mem status show power mode
DESCRIPTION
Displays details about the NWA/WAC’s startup state.
Displays the CPU utilization.
Displays the disk utilization.
Displays the status of the extension card slot and the USB ports and the names of any connected devices.
Displays the status of each LED on the NWA/WAC.
Displays the NWA/WAC’s MAC address.
Displays what percentage of the NWA/WAC’s memory is currently being used.
Displays the NWA/WAC’s power status.
show ram-size show serial-number show socket listen show socket open show system uptime show version
Full
- the NWA/WAC reveives power using a power adaptor and/or through a PoE switch/injector using IEEE 802.3at PoE plus.
Limited
- the NWA/WAC reveives power through a PoE switch/injector using IEEE
802.3af PoE even when it is also connected to a power source using a power adaptor.
When the NWA/WAC is in limited power mode, the NWA/WAC throughput decreases and has just one transmitting radio chain.
It always shows
Full
if the NWA/WAC does not support power detection.
Displays the size of the NWA/WAC’s on-board RAM.
Displays the serial number of this NWA/WAC.
Displays the NWA/WAC’s listening ports
Displays the ports that are open on the NWA/WAC.
Displays how long the NWA/WAC has been running since it last restarted or was turned on.
Displays the NWA/WAC’s model, firmware and build information.
Here are examples of the commands that display the CPU and disk utilization.
Router# show cpu status
CPU utilization: 0 %
CPU utilization for 1 min: 0 %
CPU utilization for 5 min: 0 %
Router# show disk
No. Disk Size(MB) Usage
===========================================================================
1 image 65 82%
2 onboard flash 154 36%
31
NWA/WAC Series CLI Reference Guide
Chapter 4 Status
Here are examples of the commands that display the MAC address, memory usage, RAM size, and serial number.
Router(config)# show mac
MAC address: 40:4A:03:42:70:16-40:4A:03:42:70:17
Router(config)# show mem status memory usage: 19%
Router(config)# show ram-size ram size: 256MB
Router(config)# show serial-number serial number: S100D42007115
Here is an example of the command that displays the listening ports.
Router(config)# show socket listen
No. Proto Local_Address Foreign_Address State
===========================================================================
1 tcp 0.0.0.0:80 0.0.0.0:0 LISTEN
2 tcp 192.168.1.245:53 0.0.0.0:0 LISTEN
3 tcp 127.0.0.1:53 0.0.0.0:0 LISTEN
4 tcp 0.0.0.0:21 0.0.0.0:0 LISTEN
5 tcp 0.0.0.0:22 0.0.0.0:0 LISTEN
6 tcp 127.0.0.1:953 0.0.0.0:0 LISTEN
Here is an example of the command that displays the open ports.
Router(config)# show socket open
No. Proto Local_Address Foreign_Address State
===========================================================================
1 udp 0.0.0.0:1812 0.0.0.0:0
2 udp 0.0.0.0:1814 0.0.0.0:0
3 udp 0.0.0.0:161 0.0.0.0:0
4 udp 172.23.26.245:53 0.0.0.0:0
5 0.0.1:53 0.0.0.0:0
6 udp 0.0.0.0:43386 0.0.0.0:0
7 udp 0.0.0.0:5246 0.0.0.0:0
Here are examples of the commands that display the system uptime and model, firmware, and build information.
Router> show system uptime system uptime: 04:18:00
Router> show version
ZyXEL Communications Corp.
model : NWA3160-N firmware version: 2.23(UJA.0)b2
BM version : 1.13
build date : 2010-12-21 09:10:11
This example shows the current LED states on the NWA/WAC. The
SYS
LED lights on and green.
Router> show led status sys: green
Router>
32
NWA/WAC Series CLI Reference Guide
C
H A P T E R
5
Interfaces
This chapter shows you how to use interface-related commands.
5.1 Interface Overview
In general, an interface has the following characteristics.
• An interface is a logical entity through which (layer-3) packets pass.
• An interface is bound to a physical port or another interface.
• Many interfaces can share the same physical port.
Some characteristics do not apply to some types of interfaces.
5.1.1 Types of Interfaces
You can create several types of interfaces in the NWA/WAC:
•
Ethernet interfaces
are the foundation for defining other interfaces and network policies.
•
VLAN interfaces
receive and send tagged frames. The NWA/WAC automatically adds or removes the tags as needed.
5.2 Interface General Commands Summary
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 8
Input Values for General Interface Commands
LABEL
interface_name domain_name
DESCRIPTION
The name of the interface.
Ethernet interface: ge
x
,
x
= 1 - N, where N equals the highest numbered Ethernet interface for your NWA/WAC model.
VLAN interface: vlan
x
,
x
= 0 - 511
Fully-qualified domain name. You may up to 254 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
The following sections introduce commands that are supported by several types of interfaces.
33
NWA/WAC Series CLI Reference Guide
Chapter 5 Interfaces
5.2.1 Basic Interface Properties and IP Address Commands
This table lists basic properties and IP address commands.
Table 9
interface General Commands: Basic Properties and IP Address Assignment
COMMAND DESCRIPTION
capwap ap vlan vlan-id
<1..4094>
<tag|untag>
When the NWA/WAC is in managed mode, this sets the AP’s
VLAN identification number and sets it to send tagged or untagged packets.
interface-name {
bridge_interface
}
user_defined_name
Specifies a name for a bridge interface. It can use alphanumeric characters, hyphens, and underscores, and it can be up to 11 characters long. interface-rename
old_user_defined_name new_user_defined_name ethernet_interface
: This must be the system name of a bridge interface. Use the show interface-name
command to see the system name of interfaces.
user_defined_name
:
• This name cannot be one of the follows:
"ethernet", "ppp", "vlan", "bridge", "virtual", "wlan",
"cellular", "aux", "tunnel", "status", "summary", "all"
• This name cannot begin with one of the follows either:
"ge", "ppp", "vlan", "wlan-", "br", "cellular", "aux",
"tunnel".
Modifies the user-defined name of an Ethernet interface.
interface send statistics interval <15..3600>
[no] interface
interface_name
[no] description
description
[no] downstream <0..1048576>
Sets how often the NWA/WAC sends interface statistics to external servers. For example, a syslog server.
Creates the specified interface if necessary and enters subcommand mode. The interface.
no
command deletes the specified
Specifies the description for the specified interface. The command clears the description.
no
description
: You can use alphanumeric and
()+/
:=?!*#@$_%-
characters, and it can be up to 60 characters long.
This is reserved for future use.
exit
[no] ip address dhcp
[no] ip address
ip subnet_mask
[no] ip gateway
ip
ip gateway
ip
metric <0..15>
Specifies the downstream bandwidth for the specified interface. The no
command sets the downstream bandwidth to 1048576.
Leaves the sub-command mode.
Makes the specified interface a DHCP client; the DHCP server gives the specified interface its IP address, subnet mask, and gateway. The no
command makes the IP address static IP address for the specified interface. (See the next command to set this IP address.)
Assigns the specified IP address and subnet mask to the specified interface. The and the subnet mask.
no
command clears the IP address
Adds the specified gateway using the specified interface.
The no
command removes the gateway.
Sets the priority (relative to every gateway on every interface) for the specified gateway. The lower the number, the higher the priority.
34
NWA/WAC Series CLI Reference Guide
Chapter 5 Interfaces
Table 9
interface General Commands: Basic Properties and IP Address Assignment (continued)
COMMAND
[no] metric <0..15>
[no] mss <536..1460>
[no] mtu <576..1500>
[no] shutdown traffic-prioritize {tcp-ack|dns} bandwidth
<0..1048576> priority <1..7> [maximizebandwidth-usage];
DESCRIPTION
Sets the interface’s priority relative to other interfaces. The lower the number, the higher the priority.
Specifies the maximum segment size (MSS) the interface is to use. MSS is the largest amount of data, specified in bytes, that the interface can handle in a single, unfragmented piece. The use its default MSS.
no
command has the interface
Specifies the Maximum Transmission Unit, which is the maximum number of bytes in each packet moving through this interface. The NWA/WAC divides larger packets into smaller fragments. The
1500.
no
command resets the MTU to
Deactivates the specified interface. The activates it.
no
command
Applies traffic priority when the interface sends TCP-ACK traffic, or traffic for resolving domain names. It also sets how much bandwidth the traffic can use and can turn on maximize bandwidth usage. traffic-prioritize {tcp-ack|dns} deactivate
[no] upstream <0..1048576>
Turns off traffic priority settings for when the interface sends the specified type of traffic.
Specifies the upstream bandwidth for the specified interface. The to 1048576.
no
command sets the upstream bandwidth manager ap vlan vlan-id
<1..4094>
<tag|untag>
When the NWA/WAC is in standalone or controller mode, this sets the AP’s VLAN identification number and sets it to send tagged or untagged packets.
manager ap vlan ip address [
ip subnet_mask
| dhcp]
Sets the management IPv4 address for the NWA/WAC.
manager ap vlan [no] ipv6 address
ipv6_addr
/
prefix
Sets the IPv6 address and the prefix length for the LAN interface of the NWA/WAC.
manager ap vlan [no] ipv6 dhcp6 {address-request | client} manager ap vlan [no] ipv6 dhcp6-request-object
dhcp6_profile
manager ap vlan [no] ipv6 enable manager ap vlan [no] ipv6 gateway
ipv6_addr
manager ap vlan [no] ipv6 nd ra accept
The no
command removes the IPv6 address settings.
Set the NWA/WAC to act as a DHCPv6 client or get this interface’s IPv6 address from a DHCPv6 server.
The no
command sets the NWA/WAC to not get this interface’s IPv6 address from the DHCPv6 server.
For a DHCPv6 client interface, sets the profile of DHCPv6 request settings that determine what additional information to get from the DHCPv6 server.
The no
command removes the DHCPv6 request settings profile.
Enables IPv6 stateless auto-configuration on the NWA/
WAC. The NWA/WAC will generate an IPv6 address itself from a prefix obtained from an IPv6 router in the network.
The no
command disables IPv6 stateless autoconfiguration.
Sets the IPv6 address of the default outgoing gateway.
The no
command removes the IPv6 gateway settings.
Sets the IPv6 interface to accept IPv6 neighbor discovery router advertisement messages.
The no
command sets the IPv6 interface to discard IPv6 neighbor discovery router advertisement messages.
NWA/WAC Series CLI Reference Guide
35
Chapter 5 Interfaces
Table 9
interface General Commands: Basic Properties and IP Address Assignment (continued)
COMMAND
manager ap vlan [no] ip gateway
ip
show interface {ethernet | vlan} status show interface {
interface_name
| ethernet | vlan | all} show interface send statistics interval show interface summary all show interface summary all status show interface-name show ipv6 interface {
interface_name
| bridge | vlan
| ethernet | all} show ipv6 nd ra status
interface_name
show ipv6 static address interface
interface_name
DESCRIPTION
Sets the manager gateway address. The removes the gateway.
no
command
Displays the connection status of the specified type of interfaces.
Displays information about the specified interface, specified type of interfaces, or all interfaces.
Displays the interval for how often the NWA/WAC refreshes the sent packet statistics for the interfaces.
Displays basic information about the interfaces.
Displays the connection status of the interfaces.
Displays all Ethernet interface system name and userdefined name mappings.
Displays information about the specified IPv6 interface, specified type of IPv6 interfaces, or all IPv6 interfaces.
Displays the specified IPv6 interface’S IPv6 router advertisement configuration.
Displays the static IPv6 addresses configured on the specified IPv6 interface.
5.2.1.1 Basic Interface Properties Command Examples
Use these commands to set LAN settings. Use
manager ap vlan ip address
to set the LAN interface to use a static ip address or DHCP. If you set an attribute twice, the latter setting overrides the previous one.
The following commands configure the LAN Ethernet interface to use IP address 1.1.1.1, netmask
255.255.255.0, and gateway address 1.2.3.4.
Router(config)# manager ap vlan ip address 1.1.1.1 255.255.255.0
Router(config)# manager ap vlan ip gateway 1.2.3.4
The following command makes the LAN Ethernet interface a DHCP client.
Router(config)# manager ap vlan ip address dhcp
This example sets the LAN Ethernet interface’s management VLAN Id to 100, untagged.
Router(config)# manager ap vlan vlan-id 100 untag
5.3 Port Commands
This section covers commands that are specific to ports.
36
NWA/WAC Series CLI Reference Guide
Chapter 5 Interfaces
Note: In CLI, representative interfaces are also called representative ports.
Table 10
Basic Interface Setting Commands
COMMAND
no port <1..
x
> port status Port<1..
x
>
[no] duplex <full | half> exit
[no] negotiation auto
[no] speed <100,10> show port setting show port status show port type show manager vlan
DESCRIPTION
Removes the specified physical port from its current representative interface and adds it to its default representative interface (for example, port
x
--> ge
x
).
Enters a sub-command mode to configure the specified port’s settings.
Sets the port’s duplex mode. The no command returns the default setting.
Leaves the sub-command mode.
Sets the port to use auto-negotiation to determine the port speed and duplex. The no command turns off autonegotiation.
Sets the Ethernet port’s connection speed in Mbps. The no command returns the default setting.
Displays the Ethernet port negotiation, duplex, and speed settings.
Displays statistics for the Ethernet ports.
Displays the type of cable connection for each physical interface on the device.
Displays the LAN interface’s management interface settings.
5.3.1 Port Command Examples
The following example shows port status.
Router# show port status
Port Status TxPkts RxPkts TxBcast RxBcast Colli. TxB/s RxB/s
Up Time PVID
===============================================================================
1 1000M/Full 465 5452 411 2647 0 812 612
00:13:28 1
2 Down 0 0 0 0 0 0 0
00:00:00 1
3 Down 0 0 0 0 0 0 0
00:00:00 1
4 Down 0 0 0 0 0 0 0
00:00:00 1
Router#
The following example shows port settings.
Router(config)# show port setting
Port Negotiation Duplex Speed EEE
===============================================================================
1 auto full 1000 no
NWA/WAC Series CLI Reference Guide
37
Chapter 5 Interfaces
The following example shows LAN settings.
Router(config)# show manager vlan
Management Interface:
VLAN ID: 100
VLAN Tag: untag
IP Status: static
IP Address: 192.168.1.2
Mask: 255.255.255.0
Gateway: 0.0.0.0
The following example shows each port’s type of cable connection.
Router(config)# show port type
Port Type
===========================================================================
1 Copper
5.4 VLAN Interface Specific Commands
A Virtual Local Area Network (VLAN) divides a physical network into multiple logical networks. The standard is defined in IEEE 802.1q.
In the NWA/WAC, each VLAN is called a VLAN interface. As a router, the NWA/WAC routes traffic between VLAN interfaces, but it does not route traffic within a VLAN interface.
Note: vlan0 is the default VLAN interface. It cannot be deleted and its VID cannot changed.
Otherwise, VLAN interfaces are similar to other interfaces in many ways. They have an IP address, subnet mask, and gateway used to make routing decisions. They restrict bandwidth and packet size. They can verify the gateway is available.
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 11
Input Values for VLAN Interface Commands
LABEL
config_interface gateway addr netmask description
DESCRIPTION
The VLAN interlace name. You may use 0-511 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
The gateway IP address of the interface. Enter a standard IPv4 IP address (for example, 127.0.0.1).
The network mask IP address. Enter a standard IPv4 IP address.
The network mask IP address. Enter a standard IPv4 IP address.
Sets the description of the interface. You may use 0-511 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
38
NWA/WAC Series CLI Reference Guide
Chapter 5 Interfaces
The following table describes the commands available for VLAN interface managment. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 12
Command Summary: VLAN Interface Profile
COMMAND
[no] interface
config_interface
vlanid
<1..4094>
<tag|untag>
[no] ip address
addr netmask
[no] ip address dhcp
[metric <0..15>]
mtu
<576..1500>
no mtu
[no] ip gateway
gateway [metric <0..15>]
DESCRIPTION
Enters configuration mode for the specified interface. Use the
no
parameter to remove the specified profile.
Sets the interface’s VLAN identification number and sets it to send tagged or untagged packets.
Sets the interface’s IP address and subnet mask address. Use the no
parameter to remove these values from this interface.
Sets the interface to use the DHCP to acquire an IP address.
Enter the metric (priority) of the gateway (if any) on this interface. The NWA/WAC decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the NWA/WAC uses the one that was configured first.
Sets the maximum size of each data packet, in bytes, that can move through this interface. If a larger packet arrives, the NWA/
WAC divides it into smaller fragments.
Disables the mtu feature for this interface.
Enter the IP address of the gateway. The NWA/WAC sends packets to the gateway when it does not know how to route the packet to its destination. The gateway should be on the same network as the interface.
no vlan-id upstream
<0..1048576>
no upstream downstream
<0..1048576>
no downstream description
description
no description
[no] shutdown
[no] ip helper-address exit
Also enter the metric (priority) of the gateway (if any) on this interface. The NWA/WAC decides which gateway to use based on this priority. The lower the number, the higher the priority. If two or more gateways have the same priority, the NWA/WAC uses the one that was configured first.
Removes the VLAN ID from the interface.
Sets the maximum amount of traffic, in kilobits per second, the
NWA/WAC can send through the interface to the network.
Disables the upstream bandwidth limit.
Sets the maximum amount of traffic, in kilobits per second, the
NWA/WAC can receive from the network through the interface.
Disables the downstream bandwidth limit.
Sets the description of this interface. It is not used elsewhere.
You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.
Removes the VLAN description.
Exits this sub-command mode, saving all changes but without enabling the VLAN.
Enables the IP helper address.
Exits configuration mode for this interface.
NWA/WAC Series CLI Reference Guide
39
Chapter 5 Interfaces
5.4.1 VLAN Interface Examples
This example sets an NWA/WAC in standalone mode to use VLAN ID 1 and send untagged packets.
Router(config)# manager ap vlan vlan-id 1 untag
Router(config)#
This example sets an NWA/WAC in managed mode to use VLAN ID 1 and send untagged packets..
Router(config)# capwap ap vlan vlan-id 1 untag
Router(config)#
40
NWA/WAC Series CLI Reference Guide
C
H A P T E R
6
Users
This chapter describes how to set up user accounts and user settings for the NWA/WAC. You can also set up rules that control when users have to log in to the NWA/WAC before the NWA/WAC routes traffic for them.
6.1 User Account Overview
A user account defines the privileges of a user logged into the NWA/WAC. User accounts are used in firewall rules and application patrol, in addition to controlling access to configuration and services in the NWA/WAC.
6.1.1 User Types
These are the types of user accounts the NWA/WAC uses.
Table 13
Types of User Accounts
TYPE
Admin Users admin limited-admin
ABILITIES
Change NWA/WAC configuration (web, CLI)
Look at NWA/WAC configuration (web, CLI)
Perform basic diagnostics (CLI)
Access Users user Used for the embedded RADIUS server and
SNMPv3 user access
Browse user-mode commands (CLI)
LOGIN METHOD(S)
WWW, TELNET, SSH, FTP, Console,
WWW, TELNET, SSH, Console
6.2 User Commands Summary
The following table identify the values required for many username
commands. Other input values are discussed with the corresponding commands.
Table 14
user Command Input Values
LABEL
username
DESCRIPTION
The name of the user (account). You may use 1-31 alphanumeric characters, underscores(
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
The following sections list the username
commands.
NWA/WAC Series CLI Reference Guide
41
Chapter 6 Users
6.2.1 Username and User Commands
The first table lists the commands for users.
Table 15
username Commands Summary: Users
COMMAND
show username [
username
] username
username
nopassword user-type {admin | guest | limited-admin | user} username
username
password
password
user-type {admin
| guest | limited-admin | user}
DESCRIPTION
Displays information about the specified user or about all users set up in the NWA/WAC.
Creates the specified user (if necessary), disables the password, and sets the user type for the specified user.
Creates the specified user (if necessary); enables and sets the password; and sets the user type for the specified user.
password
: You can use 1-63 printable ASCII characters, except double quotation marks (“) and question marks (?).
Sets a user account password by ciphertext.
username
username
encrypted-password <
ciphertext
> user-type {admin | guest | limited-admin | user} username
username
user-type ext-group-user no username
username
username rename
username username
username
username
[no] description
description
username
username
encrypted-password <
password
>
Creates the specified user (if necessary) and sets the user type to
Ext-User
.
Deletes the specified user.
Renames the specified user (first
username
) to the specified username (second
username
).
Sets the description for the specified user. The command clears the description.
no
description
: You can use alphanumeric and
()+/
:=?!*#@$_%-
characters, and it can be up to 60 characters long.
Sets a user account password by ciphertext.
Normally you would use username password <
clear text
>
to set the password.
username
username
logon-time-setting <default | manual>
In special case cases (for GUI apply), you can use username encrypted-password <
ciphertext
>
to set password.
Sets the account to use the factory default lease and reauthentication times or custom ones.
username
username
[no] logon-lease-time <0..1440>
Sets the lease time for the specified user. Set it to zero to set unlimited lease time. The no
command sets the lease time to five minutes (regardless of the current default setting for new users).
username
username
[no] logon-re-auth-time <0..1440>
Sets the reauthorization time for the specified user. Set it to zero to set unlimited reauthorization time. The no command sets the reauthorization time to thirty minutes
(regardless of the current default setting for new users).
42
NWA/WAC Series CLI Reference Guide
Chapter 6 Users
6.2.2 User Setting Commands
This table lists the commands for user settings.
Table 16
users Commands Summary: Settings
COMMAND
show users default-setting {all | user-type {admin | limited-admin}} users default-setting [no] logon-lease-time
<0..1440> users default-setting [no] logon-re-auth-time
<0..1440> users default-setting [no] user-type <admin
|limited-admin> show users retry-settings
[no] users retry-limit
[no] users retry-count <1..99>
[no] users lockout-period <1..65535> show users simultaneous-logon-settings
[no] users simultaneous-logon {administration | access} enforce
[no] users simultaneous-logon {administration | access} limit <1..1024>
DESCRIPTION
Displays the default lease and reauthentication times for the specified type of user accounts.
Sets the default lease time (in minutes) for each new user.
Set it to zero to set unlimited lease time. The sets the default lease time to five.
no
command
Sets the default reauthorization time (in minutes) for each new user. Set it to zero to set unlimited reauthorization time. The no time to thirty.
command sets the default reauthorization
Sets the default user type for each new user. The command sets the default user type to user.
no
Displays the current retry limit settings for users.
Enables the retry limit for users. The the retry limit.
no
command disables
Sets the number of failed login attempts a user can have before the account or IP address is locked out for lockoutperiod minutes. The five.
no
command sets the retry-count to
Sets the amount of time, in minutes, a user or IP address is locked out after retry-count number of failed login attempts. The thirty minutes.
no
command sets the lockout period to
Displays the current settings for simultaneous logins by users.
Enables the limit on the number of simultaneous logins by users of the specified account-type. The no
command disables the limit, or allows an unlimited number of simultaneous logins.
Sets the limit for the number of simultaneous logins by users of the specified account-type. The the limit to one.
no
command sets
6.2.2.1 User Setting Command Examples
The following commands show the current settings for the number of simultaneous logins.
Router# configure terminal
Router(config)# show users simultaneous-logon-settings enable simultaneous logon limitation for administration account: no maximum simultaneous logon per administration account : 1
NWA/WAC Series CLI Reference Guide
43
Chapter 6 Users
6.2.3 Additional User Commands
This table lists additional commands for users.
Table 17
users Commands Summary: Additional
COMMAND
show users {
username
| all | current} show lockout-users unlock lockout-users
ip
| console users force-logout
ip
|
username
DESCRIPTION
Displays information about the users logged onto the system.
Displays users who are currently locked out.
Unlocks the specified IP address.
Logs out the specified logins.
6.2.3.1 Additional User Command Examples
The following commands display the users that are currently logged in to the NWA/WAC and forces the logout of all logins from a specific IP address.
Router# configure terminal outer(config)# show users all
No. Name Type From
Service Session Time Idle Time Lease Timeout Re-Auth. Timeout
===============================================================================
1 admin admin 172.23.26.101
http/https 04:31:01 unlimited unlimited unlimited
2 admin admin console
console 04:23:51 unlimited unlimited unlimited
Router(config)# users force-logout 172.23.26.101
Logout user 'admin'(from 172.23.26.101): OK
Total 1 user has been forced logout
Router(config)# show users all
No. Name Type From
Service Session Time Idle Time Lease Timeout Re-Auth. Timeout
===============================================================================
1 admin admin console
console 04:24:55 unlimited unlimited unlimited
The following commands display the users that are currently locked out and then unlocks the user who is displayed.
Router# configure terminal
Router(config)# show lockout-users
No. Username Tried From Lockout Time Remaining
===========================================================================
No. From Failed Login Attempt Record Expired Timer
===========================================================================1
172.23.23.60 2 46
Router(config)# unlock lockout-users 172.23.23.60
User from 172.23.23.60 is unlocked
Router(config)# show lockout-users
No. Username Tried From Lockout Time Remaining
===========================================================================
No. From Failed Login Attempt Record Expired Timer
===========================================================================
44
NWA/WAC Series CLI Reference Guide
C
H A P T E R
7
AP Management
This chapter shows you how to configure wireless AP management options on your NWA/WAC.
7.1 AP Management Overview
The NWA/WAC allows you to remotely manage all of the Access Points (APs) on your network. You can manage a number of APs without having to configure them individually as the NWA/WAC automatically handles basic configuration for you.
The commands in this chapter allow you to add, delete, and edit the APs managed by the NWA/
WAC by means of the CAPWAP protocol. An AP must be moved from the wait list to the management list before you can manage it. If you do not want to use this registration mechanism, you can disable it and then any newly connected AP is registered automatically.
The following figure illustrates a CAPWAP wireless network. The user (
U
) configures the controller
AP (
C
), which then automatically updates the configurations of the managed APs (
M1
~
M4
).
Figure 9
CAPWAP Network Example
U
C
M1 M2 M3 M4
Let’s say one AP (
M3
) starts giving you trouble. You can log into the NWA/WAC via console or
Telnet and troubleshoot, such as viewing its traffic statistics or reboot it or even remove it altogether from the list of viable APs that stations can use.
NWA/WAC Series CLI Reference Guide
45
Chapter 7 AP Management
7.2 AP Management Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 18
Input Values for General AP Management Commands
LABEL
ap_mac slot_name profile_name ap_description sta_mac
DESCRIPTION
The Ethernet MAC address of the managed AP. Enter 6 hexadecimal pairs separated by colons. You can use 0-9, a-z and A-Z.
The slot name for the AP’s on-board wireless LAN card. Use either
slot1
or
slot2
. (Not all NWA/WACs support 2 radio slots.)
The wireless LAN radio profile name. You may use 1-31 alphanumeric characters, underscores(
_ case-sensitive.
), or dashes (-), but the first character cannot be a number. This value is
The AP description. This is strictly used for reference purposes and has no effect on any other settings. You may use 1-31 alphanumeric characters, underscores(
_
), or dashes
(-), but the first character cannot be a number. This value is case-sensitive.
The Ethernet MAC address of the managed station (or wireless client). Enter 6 hexadecimal pairs separated by colons. You can use 0-9, a-z and A-Z.
The following table describes the commands available for AP managment. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 19
Command Summary: AP Management
COMMAND
wlan
slot_name
[no] activate ap profile
radio_profile_name
output-power
power
repeater profile
radio_profile_name
rootap profile
radio_profile_name
ssid profile index
ssid_profile_name
wds_profile
wds_profile_name
wds_uplink {auto | manual bssid
mac_address
}
DESCRIPTION
Enters the sub-command mode for the specified radio on the
NWA/WAC.
Eenables the specified radio. The no
command disables the radio.
Sets the radio (
slot_name
) to AP mode and assigns a created radio profile to the radio.
Sets the output power (between 0 to 30 dBm) for the specified radio.
Sets the specified radio (
slot_name
) to repeater mode and assigns a created radio profile to the radio.
Sets the specified radio (
slot_name
) to root AP mode and assigns a created radio profile to the radio.
Assigns an SSID profile to this radio. Requires an existing SSID profile.
Selects the WDS profile the radio (in repeater or root AP mode) uses to connect to a root AP or repeater.
Sets how the radio (in repeater mode) connect to a root AP or repeater.
auto
: to have the NWA/WAC automatically use the settings in the applied WDS profile to connect to a root AP or repeater.
manual
: to have the NWA/WAC connect to the root AP or repeater with tbe specified MAC address. You need to configure the MAC address of the root AP or repeater with which you want the NWA/
WAC to associate.
46
NWA/WAC Series CLI Reference Guide
Chapter 7 AP Management
Table 19
Command Summary: AP Management (continued)
COMMAND
wireless-bridge {enable | disable}
DESCRIPTION
Enables or disables wireless bridging on the specified radio
(
slot_name
). The WAC must support LAN provision and the radio should be in repeater mode. VLAN and bridge interfaces are created automatically according to the LAN port’s VLAN settings.
show wlan
slot_name
show wlan
slot_name
detail show wlan
slot_name
list all sta show wireless-hal current channel show wireless-hal station info show wireless-hal station number show wireless-hal statistic show wireless-hal wds info {all | downlink | uplink} show wireless-hal wds interface {all | downlink
| uplink} show wireless-hal wds number
When wireless bridging is enabled, the WAC in repeater mode can still transmit data through its Ethernet port(s) after the WDS link is up. Be careful to avoid bridge loops.
The WACs in the same WDS must use the same static VLAN ID.
Displays the operating mode and profile settings for the specified radio.
Displays the SSID, MAC address, VLAN ID and security mode for the specified radio.
Displays statistics for the specified radio’s wireless traffic.
Displays the channel number the NWA/WAC’s radio is using.
Displays the connected station information of the NWA/WAC’s radio.
Displays the the number of wireless clients that are currently connected to the NWA/WAC.
Displays the overall traffic information of the NWA/WAC’s radio.
Displays the WDS traffic statistics between the NWA/WAC and a root AP or repeaters
Uplink refers to the WDS link from the repeaters to the root AP.
Downlink refers to the WDS link from the root AP to the repeaters.
Displays status information for the WDS links.
Uplink refers to the WDS link from the repeaters to the root AP.
Downlink refers to the WDS link from the root AP to the repeaters.
Displays the number of the root AP or repeater to which the NWA/
WAC is connected using WDS.
7.3 AP Management Client Commands
The following table describes the commands available for configuring CAPWAP client APs. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 20
Command Summary: AP Client Commands
COMMAND
capwap ap ac-ip {
primary ip secondary ip
| auto} capwap ap vlan ip address {
ip subnet_mask
| dhcp}
DESCRIPTION
Sets the AP controller’s address or sets the NWA/WAC (in managed mode) to use DHCP option 138 to get the AP controller’s IP address.
Sets the IP address of the managed AP or sets it to use DHCP.
NWA/WAC Series CLI Reference Guide
47
Chapter 7 AP Management
Table 20
Command Summary: AP Client Commands (continued)
COMMAND
capwap ap vlan [no] ip gateway
ip
DESCRIPTION
Adds the gateway address of the managed AP. The removes the gateway setting.
no
command
Sets the IPv6 address and the prefix length of the managed AP.
capwap ap vlan [no] ipv6 address
ipv6_addr
/
prefix
capwap ap vlan [no] ipv6 dhcp6 {address-request
| client} capwap ap vlan [no] ipv6 dhcp6-request-object
dhcp6_profile
capwap ap vlan [no] ipv6 enable
The no
command removes the IPv6 address settings.
Set the managed AP to act as a DHCPv6 client or get an IPv6 address from a DHCPv6 server.
The no
command sets the managed AP to not get the IPv6 address from the DHCPv6 server.
Sets the profile of DHCPv6 request settings that determine what additional information to get from the DHCPv6 server.
The no
command removes the DHCPv6 request settings profile.
Enables IPv6 stateless auto-configuration on the managed AP.
The managed AP will generate an IPv6 address itself from a prefix obtained from an IPv6 router in the network.
capwap ap vlan [no] ipv6 gateway show capwap ap info show capwap ap discovery-type show capwap ap ac-ip show hybrid-mode
ipv6_addr
capwap ap vlan [no] ipv6 nd ra accept
The no
command disables IPv6 stateless auto-configuration.
Sets the IPv6 address of the default outgoing gateway.
The no
command removes the IPv6 gateway settings.
Sets the managed AP to accept IPv6 neighbor discovery router advertisement messages.
The no
command sets the managed AP to discard IPv6 neighbor discovery router advertisement messages.
capwap ap vlan vlan-id
<1..4094>
[tag | untag]
Sets the VLAN ID and tagging setting of the managed AP.
hybrid-mode [managed | standalone]
Sets the NWA/WAC to act as a CAPWAP managed AP, or uses it in its default standalone mode.
When the NWA/WAC is in standalone mode, you can manage the
NWA/WAC using its own web configurator or commands.
When the NWA/WAC is in managed mode, it can be configured
ONLY by the AP controller.
Displays information about the managed AP’s wireless usage.
Displays how the managed AP gets its IP address.
Displays the controller’s IP address.
Displays the NWA/WAC management mode.
7.3.1 AP Management Client Commands Example
The following example shows you how to configure the NWA/WAC management mode to allow it to be managed by an AP controller and check the NWA/WAC management mode.
Router# configure terminal
Router(config)# hybrid-mode managed
Router(config)# show hybrid-mode mode: managed
Router(config)#
48
NWA/WAC Series CLI Reference Guide
Chapter 7 AP Management
The following example shows you how to configure the interface of a managed AP, set the AP conntroller IP address and display the related settings.
Router# configure terminal
Router(config)# show capwap_wtp ap discovery-type
Discovery type : Broadcast
Router(config)# capwap ap vlan ip address 192.168.1.37 255.255.255.0
Router(config)# capwap ap vlan ip gateway 192.168.1.32
Router(config)# capwap ap ac-ip 192.168.1.1 192.168.1.2
Router(config)# show capwap ap discovery-type
Discovery type : Static AC IP
Router(config)# show capwap ap ac-ip
AC IP: 192.168.1.1 192.168.1.2
Router(config)# exit
Router# show capwap ap info
SM-State RUN(8)
msg-buf-usage 0/10 (Usage/Max)
capwap-version 10118
Radio Number 1/4 (Usage/Max)
BSS Number 8/8 (Usage/Max)
IANA ID 037a
Description AP-0013499999FF
NWA/WAC Series CLI Reference Guide
49
C
H A P T E R
8
Wireless LAN Profiles
This chapter shows you how to configure wireless LAN profiles on your NWA/WAC.
8.1 Wireless LAN Profiles Overview
The NWA/WACs are designed to work explicitly with your NWA/WACs. If you do not have on-board configuration files, you must create “profiles” to manage them. Profiles are preset configurations that are uploaded to the APs and which manage them. They include: Radio and Monitor profiles,
SSID profiles, Security profiles, and MAC Filter profiles. Altogether, these profiles give you absolute control over your wireless network.
8.2 AP Radio & Monitor Profile Commands
The radio profile commands allow you to set up configurations for the radios onboard your various
APs. The monitor profile commands allow you to set up monitor mode configurations that allow your APS to scan for other APs in the vicinity.
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 21
Input Values for General Radio and Monitor Profile Commands
LABEL
radio_profile_name monitor_profile_name wireless_channel_2g
DESCRIPTION
The radio profile name. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
The monitor profile name. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Sets the 2 Ghz channel used by this radio profile. The channel range is
1 ~ 14
. wireless_channel_5g
Note: Your choice of channel may be restricted by regional regulations.
Sets the 5 Ghz channel used by this radio profile. The channel range is
36 ~
165
.
wlan_hctw wlan_htgi chain_mask scan_method
Note: Your choice of channel may be restricted by regional regulations.
Sets the HT channel width. Select either
20
,
20/40
, or
20/40/80
.
Sets the HT guard interval. Select either long
or short
.
Sets the network traffic chain mask. The range is
1 ~ 7
.
Sets the radio’s scan method while in Monitor mode. Select manual or auto
.
50
NWA/WAC Series CLI Reference Guide
Chapter 8 Wireless LAN Profiles
Table 21
Input Values for General Radio and Monitor Profile Commands (continued)
LABEL DESCRIPTION
wlan_interface_index
Sets the radio interface index number. The range is
1 ~ 8
.
wds_lan_interface_index
Sets the AP-WDS mode interface’s index number. The range is
1 ~ 8
.
The following table describes the commands available for radio and monitor profile managment.
You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 22
Command Summary: Radio Profile
COMMAND
show wlan-radio-profile {ap | monitor} {all
|
rule_count |
[radio_profile_name]
} wlan-radio-profile rename
radio_profile_name1 radio_profile_name2
[no] wlan-radio-profile
radio_profile_name
[no] activate band
wlan_band
band_mode
wlan_band_mode
2g-channel
wireless_channel_2g
2g-multicast-speed
wlan_2g_support_speed
5g-channel
wireless_channel_5g
5g-multicast-speed
wlan_5g_basic_speed
[no] ampdu
DESCRIPTION
Displays the radio profile(s).
all
: Displays all profiles for the selected operating mode.
rule_count
: Displays how many radio profiles are created on the
NWA/WAC.
radio_profile_name
: Displays the specified profile for the selected operating mode.
Gives an existing radio profile (
radio_profile_name1
) a new name (
radio_profile_name2
).
Enters configuration mode for the specified radio profile. Use the
no
parameter to remove the specified profile.
Makes this profile active or inactive.
Sets the radio band (2.4 GHz or 5 GHz) and 80.211 wireless mode for this profile.
wlan_band
: 2.4G or 5G
wlan_band_mode
: 11n, bg, bgn, a, ac, an
Sets the broadcast band for this profile in the 2.4 Ghz frequency range. The default is 6.
When you disable multicast to unicast, use this command to set the data rate {
1.0 | 2.0 | …
} in Mbps for 2.4 GHz multicast traffic.
Sets the broadcast band for this profile in the 5 GHz frequency range.
When you disable multicast to unicast, use this command to set the data rate {
6.0 | 9.0 | …
} in Mbps for 5 GHz multicast traffic.
Activates MPDU frame aggregation for this profile. Use the
no
parameter to disable it.
Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a
802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates.
By default this is enabled.
NWA/WAC Series CLI Reference Guide
51
Chapter 8 Wireless LAN Profiles
Table 22
Command Summary: Radio Profile (continued)
COMMAND
[no] amsdu
DESCRIPTION
Activates MPDU frame aggregation for this profile. Use the
no
parameter to disable it.
beacon-interval <40..1000>
[no] block-ack ch-width
wlan_htcw
[no] ctsrts <0..2347>
[no] disable-dfs-switch dtim-period <1..255> description
description
dcs time-interval
interval
dcs sensitivity-level
{
high| medium |low
}
Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header. This method is useful for increasing bandwidth throughput. It is also more efficient than A-MPDU except in environments that are prone to high error rates.
By default this is enabled.
Sets the beacon interval for this profile.
When a wirelessly networked device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in low-power mode before waking up to handle the beacon. This value can be set from 40ms to 1000ms. A high value helps save current consumption of the access point.
The default is 100.
Makes block-ack
active or inactive. Use the
no
parameter to disable it.
Sets the channel width for this profile.
Sets or removes the RTS/CTS value for this profile.
Use RTS/CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the same AP but out of range of one another. When enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS (Clear
To Send) before it transmits. This stops wireless clients from transmitting packets at the same time (and causing data collisions).
A wireless client sends an RTS for all packets larger than the number (of bytes) that you enter here. Set the RTS/CTS equal to or higher than the fragmentation threshold to turn RTS/CTS off.
The default is 2347.
Makes the DFS switch active or inactive. By default this is inactive.
Sets the DTIM period for this profile.
Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. This value can be set from 1 to 255.
The default is 1.
Sets the description for the profile. You may use up to 60 alphanumeric characters, underscores (_), or dashes (-). This value is case-sensitive
Sets the interval that specifies how often DCS should run.
Sets how sensitive DCS is to radio channel changes in the vicinity of the AP running the scan.
52
NWA/WAC Series CLI Reference Guide
Chapter 8 Wireless LAN Profiles
Table 22
Command Summary: Radio Profile (continued)
COMMAND
dcs client-aware {enable|disable} dcs channel-deployment {3-channel|4channel}
DESCRIPTION
When enabled, this ensures that the NWA/WAC will not change channels as long as a client is connected to it. If disabled, the
NWA/WAC may change channels regardless of whether it has clients connected to it or not.
Sets either a 3-channel deployment or a 4-channel deployment.
In a 3-channel deployment, the AP running the scan alternates between the following channels: 1, 6, and 11.
dcs 2g-selected-channel
2.4g_channels
dcs 5g-selected-channel
5g_channels
dcs dcs-2g-method {auto|manual} dcs dcs-5g-method {auto|manual} dcs dfs-aware {enable|disable} dcs mode {interval|schedule} dcs schedule <hh:mm>
{mon|tue|wed|thu|fri|sat|sun}
[no] dot11n-disable-coexistence
[no] frag <256..2346> guard-interval
wlan_htgi
[no] htprotect limit-ampdu < 100..65535> subframe-ampdu <2..64>
In a 4-channel deployment, the AP running the scan alternates between the following channels: 1, 4, 7, and 11 (FCC) or 1, 5, 9, and 13 (ETSI).
Set the option that is applicable to your region. (Channel deployment may be regulated differently between countries and locales.)
Specifies the channels that are available in the 2.4 GHz band when you manually configure the channels the NWA/WAC can use.
Specifies the channels that are available in the 5 GHz band when you manually configure the channels the NWA/WAC can use.
Sets the NWA/WAC to automatically search for available channels or manually configure the channels the NWA/WAC uses in the 2.4
GHz band.
Sets the NWA/WAC to automatically search for available channels or manually configure the channels the NWA/WAC uses in the 5
GHz band.
Enable this to allow an NWA/WAC to avoid phase DFS channels below the 5 GHz spectrum.
Sets the NWA/WAC to use DCS at the end of the specified time interval or at a specifc time on selected days of the week.
Sets what time of day (in 24-hour format) the NWA/WAC starts to use DCS on the specified day(s) of the week.
Fixes the channel bandwidth as 40 MHz. The no
command has the
NWA/WAC automatically choose 40 MHz if all the clients support it or 20 MHz if some clients only support 20 MHz.
Sets or removes the fragmentation value for this profile.
The threshold (number of bytes) for the fragmentation boundary for directed messages. It is the maximum data fragment size that can be sent.
The default is 2346.
Sets the guard interval for this profile.
The default for this is
short
.
Activates HT protection for this profile. Use the
no
parameter to disable it.
By default, this is disabled.
Sets the maximum frame size to be aggregated.
By default this is 50000.
Sets the maximum number of frames to be aggregated each time.
By default this is 32.
NWA/WAC Series CLI Reference Guide
53
Chapter 8 Wireless LAN Profiles
Table 22
Command Summary: Radio Profile (continued)
COMMAND
limit-amsdu <2290..4096>
DESCRIPTION
Sets the maximum frame size to be aggregated.
[no] multicast-to-unicast role {ap} rssi-dbm <-20~-76> rssi-kickout <-20~-90>
[no] rssi-retry
The default is 4096.
“Multicast to unicast” broadcasts wireless multicast traffic to all wireless clients as unicast traffic to provide more reliable transmission. The data rate changes dynamically based on the application’s bandwidth requirements. Although unicast provides more reliable transmission of the multicast traffic, it also produces duplicate packets.
The no
command turns multicast to unicast off to send wireless multicast traffic at the rate you specify with the
2g-multicastspeed
or
5g-multicast-speed
command.
Sets the profile’s wireless LAN radio operating mode.
Use ap to have the radio function as an access point with one or more BSSIDs.
When using the RSSI threshold, set a minimum client signal strength for connecting to the AP. -20 dBm is the strongest signal you can require and -76 is the weakest.
Sets a minimum kick-off signal strength. When a wireless client’s signal strength is lower than the specified threshold, the NWA/
WAC disconnects the wireless client.
-20 dBm is the strongest signal you can require and -90 is the weakest.
Allows a wireless client to try to associate with the NWA/WAC again after it is disconnected due to weak signal strength.
rssi-retrycount <1~100>
[no] rssi-thres
Use the
no
parameter to disallow it.
Sets the maximum number of times a wireless client can attempt to re-connect to the NWA/WAC.
Sets whether or not to use the Received Signal Strength
Indication (RSSI) threshold to ensure wireless clients receive good throughput. This allows only wireless clients with a strong signal to connect to the NWA/WAC.
tx-mask rx-mask exit
chain_mask chain_mask
Sets the outgoing chain mask.
Sets the incoming chain mask.
Exits configuration mode for this profile.
Displays all monitor profiles or just the specified one.
show wlan-monitor-profile {all | rule_count |
[monitor_profile_name]
} wlan-monitor-profile rename
monitor_profile_name1 monitor_profile_name2
rule_count
: Displays how many monitor profiles are created on the NWA/WAC.
Gives an existing monitor profile (
monitor_profile_name1
) a new name (
monitor_profile_name2
).
[no] wlan-monitor-profile
monitor_profile_name
Enters configuration mode for the specified monitor profile. Use the
no
parameter to remove the specified profile.
[no] activate
Makes this profile active or inactive.
description scan-method
description
scan_method
By default, this is enabled.
Sets the description for the profile. You may use up to 60 alphanumeric characters, underscores (_), or dashes (-). This value is case-sensitive
Sets the channel scanning method for this profile.
54
NWA/WAC Series CLI Reference Guide
Chapter 8 Wireless LAN Profiles
Table 22
Command Summary: Radio Profile (continued)
COMMAND
[no] 2g-scan-channel
wireless_channel_2g
[no] 5g-scan-channel
wireless_channel_5g
scan-dwell
<100..1000>
exit
DESCRIPTION
Sets the broadcast band for this profile in the 2.4 Ghz frequency range. Use the
no
parameter to disable it.
Sets the broadcast band for this profile in the 5 GHz frequency range. Use the
no
parameter to disable it.
Sets the duration in milliseconds that the device using this profile scans each channel.
Exits configuration mode for this profile.
8.2.1 AP radio & Monitor Profile Commands Example
The following example shows you how to set up the radio profile named ‘RADIO01’, activate it, and configure it to use the following settings:
• 2.4G band and 802.11ac wireless mode with channel 6
• channel width of 20MHz
• a DTIM period of 2
• a beacon interval of 100ms
• AMPDU frame aggregation enabled
• an AMPDU buffer limit of 65535 bytes
• an AMPDU subframe limit of 64 frames
• AMSDU frame aggregation enabled
• an AMSDU buffer limit of 4096
• block acknowledgement enabled
• a short guard interval
Router(config)# wlan-radio-profile RADIO01
Router(config-profile-radio)# activate
Router(config-profile-radio)# band 2.4G band_mode ac
Router(config-profile-radio)# 2g-channel 6
Router(config-profile-radio)# ch-width 20m
Router(config-profile-radio)# dtim-period 2
Router(config-profile-radio)# beacon-interval 100
Router(config-profile-radio)# ampdu
Router(config-profile-radio)# limit-ampdu 65535
Router(config-profile-radio)# subframe-ampdu 64
Router(config-profile-radio)# amsdu
Router(config-profile-radio)# limit-amsdu 4096
Router(config-profile-radio)# block-ack
Router(config-profile-radio)# guard-interval short
Router(config-profile-radio)# tx-mask 5
Router(config-profile-radio)# rx-mask 7
NWA/WAC Series CLI Reference Guide
55
Chapter 8 Wireless LAN Profiles
8.3 SSID Profile Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 23
Input Values for General SSID Profile Commands
LABEL
ssid_profile_name ssid wlan_qos
DESCRIPTION
The SSID profile name. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
The SSID broadcast name. You may use 1-32 alphanumeric characters, underscores (
_
), or dashes (-). This value is case-sensitive.
Sets the type of QoS the SSID should use.
disable
: Turns off QoS for this SSID.
securityprofile macfilterprofile description2 wmm
: Turns on QoS for this SSID. It automatically assigns Access Categories to packets as the device inspects them in transit.
wmm_be
: Assigns the “best effort” Access Category to all traffic moving through the SSID regardless of origin.
wmm_bk
: Assigns the “background” Access Category to all traffic moving through the SSID regardless of origin.
wmm_vi
: Assigns the “video” Access Category to all traffic moving through the
SSID regardless of origin.
wmm_vo
: Assigns the “voice” Access Category to all traffic moving through the
SSID regardless of origin.
Assigns an existing security profile to the SSID profile. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Assigns an existing MAC filter profile to the SSID profile. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Sets the description of the profile. You may use up to 60 alphanumeric characters, underscores (
_
), or dashes (-). This value is case-sensitive.
The following table describes the commands available for SSID profile managment. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 24
Command Summary: SSID Profile
COMMAND
show wlan-ssid-profile {all | rule_count |
[ssid_profile_name]
} wlan-ssid-profile rename
ssid_profile_name1 ssid_profile_name2
[no] wlan-ssid-profile
ssid_profile_name
DESCRIPTION
Displays the SSID profile(s).
all
: Displays all profiles.
rule_count
: Displays how many SSID profiles are created on the
NWA/WAC.
ssid_profile_name
: Displays the specified profile.
Gives an existing SSID profile (
ssid_profile_name1
) a new name (
ssid_profile_name2
).
Enters configuration mode for the specified SSID profile. Use the
no
parameter to remove the specified profile.
56
NWA/WAC Series CLI Reference Guide
Chapter 8 Wireless LAN Profiles
Table 24
Command Summary: SSID Profile (continued)
COMMAND
[no] block-intra
DESCRIPTION
Enables intra-BSSID traffic blocking. Use the no
parameter to disable it in this profile.
description
description
downlink-rate-limit
data_rate
exit
[no] hide
[no] l2isolation
l2profile
[no] macfilter
macfilterprofile
qos
wlan_qos
security
securityprofile
ssid
[no] ssid-schedule
{mon|tue|wed|thu|fri|sat|sun} {disable | enable} <hh:mm> <hh:mm>
By default this is disabled.
Sets a descriptive name for this profile.
Sets the maximum incoming transmission data rate (either in mbps or kbps) on a per-station basis.
Exits configuration mode for this profile.
Prevents the SSID from being publicly broadcast. Use the no parameter to re-enable public broadcast of the SSID in this profile.
By default this is disabled.
Assigns the specified layer-2 isolation profile to this SSID profile.
Use the no
parameter to remove it.
By default, no layer-2 isolation profile is assigned.
Assigns the specified MAC filtering profile to this SSID profile. Use the no
parameter to remove it.
By default, no MAC filter is assigned.
Sets the type of QoS used by this SSID.
Assigns the specified security profile to this SSID profile.
Sets the SSID. This is the name visible on the network to wireless clients. Enter up to 32 characters, spaces and underscores are allowed.
The default SSID is ‘ZyXEL’.
Enables the SSID schedule. Use the no
parameter to disable the
SSID schedule.
Sets whether the SSID is enabled or disabled on each day of the week. This also specifies the hour and minute (in 24-hour format) to set the time period of each day during which the SSID is enabled/enabled.
<hh:mm> <hh:mm>
: If you set both start time and end time to
00:00, it indicates a whole day event.
uplink-rate-limit
data_rate
[no] vlan-id <1..4094>
Note: The end time must be larger than the start time.
Sets the maximum outgoing transmission data rate (either in mbps or kbps) on a per-station basis.
Applies to each SSID profile. If the VLAN ID is equal to the AP’s native VLAN ID then traffic originating from the SSID is not tagged.
The default VLAN ID is 1.
NWA/WAC Series CLI Reference Guide
57
Chapter 8 Wireless LAN Profiles
8.3.1 SSID Profile Example
The following example creates an SSID profile with the name ‘ZyXEL’. It makes the assumption that both the security profile (SECURITY01) and the MAC filter profile (MACFILTER01) already exist.
Router(config)# wlan-ssid-profile SSID01
Router(config-ssid-radio)# ssid ZyXEL
Router(config-ssid-radio)# qos wmm
Router(config-ssid-radio)# security SECURITY01
Router(config-ssid-radio)# macfilter MACFILTER01
Router(config-ssid-radio)# exit
Router(config)#
8.4 Security Profile Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 25
Input Values for General Security Profile Commands
LABEL
security_profile_name wep_key wpa_key wpa_key_64 secret
auth-method
DESCRIPTION
The security profile name. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Sets the WEP key encryption strength. Select either
64bit
or
128bit
.
Sets the WPA/WPA2 pre-shared key in ASCII. You may use 8~63 alphanumeric characters. This value is case-sensitive.
Sets the WPA/WPA2 pre-shared key in HEX. You muse use 64 alphanumeric characters.
Sets the shared secret used by your network’s RADIUS server.
The authentication method used by the security profile.
The following table describes the commands available for security profile managment. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 26
Command Summary: Security Profile
COMMAND
show wlan-security-profile {all | rule_count |
[security_profile_name]
} wlan-security-profile rename
security_profile_name1 security_profile_name2
[no] wlan-security-profile
security_profile_name
description
description
DESCRIPTION
Displays the security profile(s).
all
: Displays all profiles.
rule_count
: Displays how many security profiles are created on the NWA/WAC.
security_profile_name
: Displays the specified profile.
Gives existing security profile (
security_profile_name1
) a new name, (
security_profile_name2
).
Enters configuration mode for the specified security profile. Use the
no
parameter to remove the specified profile.
Sets the description for the profile. You may use up to 60 alphanumeric characters, underscores (_), or dashes (-). This value is case-sensitive
58
NWA/WAC Series CLI Reference Guide
Chapter 8 Wireless LAN Profiles
Table 26
Command Summary: Security Profile (continued)
COMMAND
mode
<none | wep | wpa2 | wpa2-mix>
idle <30..30000>
[no] dot11w dot11w-op <1..2>
DESCRIPTION
Sets the security mode for this profile.
Sets the idle interval (in seconds) that a client can be idle before authentication is discontinued.
The default is 3000.
Data frames in 802.11 WLANs can be encrypted and authenticated with WEP, WPA or WPA2. But 802.11 management frames, such as beacon/probe response, association request, association response, de-authentication and disassociation are always unauthenticated and unencrypted. IEEE 802.11w
Protected Management Frames allows APs to use the existing security mechanisms (encryption and authentication methods defined in IEEE 802.11i WPA/WPA2) to protect management frames. This helps prevent wireless DoS attacks.
Enables management frame protection (MFP) to add security to
802.11 management frames. Use the no
parameter to disable it.
Sets whether wireless clients have to support management frame protection in order to access the wireless network.
1: if you do not require the wireless clients to support MFP.
Management frames will be encrypted if the clients support MFP.
group-key <30..30000>
[no] dot1x-eap eap {external | internal
auth_method
}
[no] mac-auth activate mac-auth auth-method
auth_method
mac-auth case account {upper
|
lower} mac-auth case calling-station-id {upper
|
lower}
2: wireless clients must support MFP in order to join the NWA/
WAC’s wireless network.
Sets the interval (in seconds) at which the AP updates the group
WPA/WPA2 encryption key.
The default is 1800.
Enables 802.1x secure authentication. Use the no
parameter to disable it.
Sets the 802.1x authentication method.
MAC authentication has the AP use an external server to authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails. The no parameter turns it off.
RADIUS servers can require the MAC address in the wireless client’s account (username/password) or Calling Station ID
RADIUS attribute.
Sets the authentication method for MAC authentication.
Sets the case (upper or lower) the external server requires for using MAC addresses as the account username and password.
For example, use
mac-auth case account upper and mac-auth delimiter account dash
if you need to use a MAC address formatted like 00-11-AC-01-A0-11 as the username and password.
Sets the case (upper or lower) the external server requires for letters in MAC addresses in the Calling Station ID RADIUS attribute.
NWA/WAC Series CLI Reference Guide
59
Chapter 8 Wireless LAN Profiles
Table 26
Command Summary: Security Profile (continued)
COMMAND
mac-auth delimiter account {colon
|
dash
|
none}
DESCRIPTION
Specify the separator the external server uses for the twocharacter pairs within MAC addresses used as the account username and password.
mac-auth delimiter calling-station-id
{colon
|
dash
|
none}
[no] server-auth <1..2> activate server-auth <1..2> IPv4 port
port
secret
secret
For example, use
mac-auth case account upper and mac-auth delimiter account dash
if you need to use a MAC address formatted like 00-11-AC-01-A0-11 as the username and password.
Select the separator the external server uses for the pairs in MAC addresses in the Calling Station ID RADIUS attribute.
Activates server authentication. Use the no
parameter to deactivate.
Sets the server authentication IPv4 port and shared secret.
[no] server-auth <1..2> wep
<64 | 128>
default-key
<1..4>
wep-auth-type
<open | share>
wep-key
<1..4> wep_key
wpa-encrypt
<
aes | auto
>
wpa-psk
{wpa_key | wpa_key_64}
[no] wpa2-preauth
[no] reauth <30..30000> exit
Clears the server authentication setting.
Sets the WEP encryption strength (
64 or 128
) and the default key index (
1 ~ 4
).
Sets the authentication key type to either
open
or
share
.
If you select WEP-64 enter 10 hexadecimal digits in the range of
“A-F”, “a-f” and “0-9” (for example, 0x11AA22BB33) for each Key used; or enter 5 ASCII characters (case sensitive) ranging from
“a-z”, “A-Z” and “0-9” (for example, MyKey) for each Key used.
If you select WEP-128 enter 26 hexadecimal digits in the range of
“A-F”, “a-f” and “0-9” (for example,
0x00112233445566778899AABBCC) for each Key used; or enter
13 ASCII characters (case sensitive) ranging from “a-z”, “A-Z” and “0-9” (for example, MyKey12345678) for each Key used.
You can save up to four different keys. Enter the default-key
(
1
~ 4
) to save your WEP to one of those four available slots.
Sets the WPA/WPA2 encryption cipher type. auto
: This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection.
aes
: This is the Advanced Encryption Standard encryption method, a newer more robust algorithm than TKIP Not all wireless clients may support this.
Sets the WPA/WPA2 pre-shared key.
Enables pre-authentication to allow wireless clients to switch APs without having to re-authenticate their network connection. The
RADIUS server puts a temporary PMK Security Authorization cache on the wireless clients. It contains their session ID and a pre-authorized list of viable APs.
Use the no
parameter to disable this.
Sets the interval (in seconds) between authentication requests.
The default is 0.
Exits configuration mode for this profile.
60
NWA/WAC Series CLI Reference Guide
Chapter 8 Wireless LAN Profiles
8.4.1 Security Profile Example
The following example creates a security profile with the name ‘SECURITY01’..
Router(config)# wlan-security-profile SECURITY01
Router(config-security-profile)# mode wpa2
Router(config-security-profile)# wpa-encrypt aes
Router(config-security-profile)# wpa-psk 12345678
Router(config-security-profile)# idle 3600
Router(config-security-profile)# reauth 1800
Router(config-security-profile)# group-key 1800
Router(config-security-profile)# exit
Router(config)#
8.5 MAC Filter Profile Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 27
Input Values for General MAC Filter Profile Commands
LABEL
macfilter_profile_name description
DESCRIPTION
The MAC filter profile name. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number.
This value is case-sensitive.
Sets the description of the MAC address. You may use up to 60 alphanumeric characters, underscores (
_
), or dashes (-). This value is case-sensitive.
The following table describes the commands available for MAC filter profile management. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 28
Command Summary: MAC Filter Profile
COMMAND
show wlan-macfilter-profile {all | rule_count |
[macfilter_profile_name]
} wlan-macfilter-profile rename
macfilter_profile_name1 macfilter_profile_name2
DESCRIPTION
Displays the MAC filter profile(s).
all
: Displays all profiles.
rule_count
: Displays how many MAC filter profiles are created on the NWA/WAC.
macfilter_profile_name
: Displays the specified profile.
Gives an existing MAC filter profile (
macfilter_profile_name1
) a new name (
macfilter_profile_name2
).
[no] wlan-macfilter-profile
macfilter_profile_name
filter-action {allow | deny}
Enters configuration mode for the specified MAC filter profile. Use the
no
parameter to remove the specified profile.
Permits the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID; select deny to block the wireless clients with the specified MAC addresses.
The default is set to
deny
.
NWA/WAC Series CLI Reference Guide
61
Chapter 8 Wireless LAN Profiles
Table 28
Command Summary: MAC Filter Profile (continued)
COMMAND
[no]
mac_addr
[description
description
] exit
DESCRIPTION
Specifies a MAC address associated with this profile. You can also set a description for the MAC address. Enter up to 60 characters.
Spaces and underscores allowed.
Exits configuration mode for this profile.
8.5.1 MAC Filter Profile Example
The following example creates a MAC filter profile with the name ‘MACFILTER01’..
Router(config)# wlan-macfilter-profile MACFILTER01
Router(config-macfilter-profile)# filter-action deny
Router(config-macfilter-profile)# 01:02:03:04:05:06 description MAC01
Router(config-macfilter-profile)# 01:02:03:04:05:07 description MAC02
Router(config-macfilter-profile)# 01:02:03:04:05:08 description MAC03
Router(config-macfilter-profile)# exit
Router(config)#
8.6 Layer-2 Isolation Profile Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 29
Input Values for General Layer-2 Isolation Profile Commands
LABEL
l2isolation_profile_nam e mac_address description
DESCRIPTION
The layer-2 isolation profile name. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
The MAC address of the device that is allowed to communicate with the NWA/
WAC’s wireless clients. Enter 6 hexadecimal pairs separated by colons. You can use 0-9, a-z and A-Z.
Sets the description name of MAC address in the profile. You may use 1-60 alphanumeric characters, underscores (
_
), or dashes (-).
62
NWA/WAC Series CLI Reference Guide
Chapter 8 Wireless LAN Profiles
The following table describes the commands available for Layer-2 Isolation profile managment. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 30
Command Summary: Layer-2 Isolation Profile
COMMAND
show wlan-l2isolation-profile {all | rule_count
| [l2isolation_profile_name]}
DESCRIPTION
Displays the layer-2 isolation profile(s) settings.
all
: Displays settings of all layer-2 isolation profiles configured on the NWA/WAC.
wlan-l2isolation-profile rename
l2isolation_profile_name1 l2isolation_profile_name2
[no] wlan-l2isolation-profile
l2isolation_profile_name
[no]
mac_address
description
description
exit rule_count
: Displays how many layer-2 isolation profiles are created on the NWA/WAC.
l2isolation_profile_name
: Displays settings of the specified profile.
Gives the existing layer-2 isolation profile
(
l2isolation_profile_name1
) a new name,
(
l2isolation_profile_name2
).
Enters configuration mode for the specified layer-2 isolation profile. Use the
no
parameter to remove the specified profile.
Sets the MAC address of the device that is allowed to communicate with the NWA/WAC’s wireless clients in this profile.
Sets the description name for the MAC address associated with this profile.
Exits configuration mode for this profile.
8.6.1 Layer-2 Isolation Profile Example
The following example creates a layer-2 isolation profile with the name ‘test1’.
Router(config)# wlan-l2isolation-profile test1
Router(config-wlan-l2isolation test1)# 00:a0:c5:01:23:45
Router(config-wlan-l2isolation test1)# description user1
Router(config-wlan-l2isolation test1)# exit
Router(config)#
8.7 WDS Profile Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 31
Input Values for General WDS Profile Commands
LABEL
wds_profile_name
DESCRIPTION
The WDS profile name. You may use 1-31 alphanumeric characters, underscores (
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
NWA/WAC Series CLI Reference Guide
63
Chapter 8 Wireless LAN Profiles wlan-wds-profile rename
wds_profile_name1 wds_profile_name2
[no] wlan-wds-profile
wds_profile_name
psk
psk
exit
The following table describes the commands available for WDS profile managment. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 32
Command Summary: WDS Profile
COMMAND
show wlan-wds-profile {all | rule_count |
[wds_profile_name]}
ssid
ssid
DESCRIPTION
Displays the WDS profile(s) settings.
all
: Displays settings of all WDS profiles configured on the NWA/
WAC.
rule_count
: Displays how many WDS profiles are created on the
NWA/WAC.
wds_profile_name
: Displays settings of the specified profile.
Gives the existing WDS profile (
wds_profile_name1
) a new name, (
wds_profile_name2
).
Enters configuration mode for the specified WDS profile.
Sets a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.The key is used to encrypt the traffic between the APs.
Sets the SSID with which you want the NWA/WAC to connect to a root AP or repeater to form a WDS.
Exits configuration mode for this profile.
8.7.1 WDS Profile Example
The following example creates a WDS profile with the name ‘WDS1’, and shows the profile settings.
Router(config)# wlan-wds-profile WDS1
Router(config-wlan-wds WDS1)# ssid ZyXEL-WDS
Router(config-wlan-wds WDS1)# psk qwer1234
Router(config-wlan-wds WDS1)# exit
Router(config)# show wlan-wds-profile WDS1 wds profile: WDS1
reference: 0
Id: 2
Description:
WDS_SSID: ZyXEL-WDS
WDS_PSK: qwer1234
Router(config)#
64
NWA/WAC Series CLI Reference Guide
C
H A P T E R
9
Rogue AP
This chapter shows you how to set up Rogue Access Point (AP) detection and containment.
9.1 Rogue AP Detection Overview
Rogue APs are wireless access points operating in a network’s coverage area that are not under the control of the network’s administrators, and can potentially open holes in the network security.
Attackers can take advantage of a rogue AP’s weaker (or non-existent) security to gain illicit access to the network, or set up their own rogue APs in order to capture information from wireless clients.
Conversely, a friendly AP is one that the NWA/WAC network administrator regards as nonthreatening. This does not necessarily mean the friendly AP must belong to the network managed by the NWA/WAC; rather, it is any unmanaged AP within range of the NWA/WAC’s own wireless network that is allowed to operate without being contained. This can include APs from neighboring companies, for example, or even APs maintained by your company’s employees that operate outside of the established network.
9.2 Rogue AP Detection Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 33
Input Values for Rogue AP Detection Commands
LABEL
ap_mac description2
DESCRIPTION
Specifies the MAC address (in XX:XX:XX:XX:XX:XX or XX-XX-XX-XX-XX-XX format) of the AP to be added to either the rogue AP or friendly AP list. The
no command removes the entry.
Sets the description of the AP. You may use 1-60 alphanumeric characters, underscores (
_
), or dashes (-). This value is case-sensitive.
The following table describes the commands available for rogue AP detection. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 34
Command Summary: Rogue AP Detection
COMMAND
rogue-ap detection
[no] activate
DESCRIPTION
Enters sub-command mode for rogue AP detection.
Activates rogue AP detection. Use the no
parameter to deactivate rogue AP detection.
65
NWA/WAC Series CLI Reference Guide
Chapter 9 Rogue AP
Table 34
Command Summary: Rogue AP Detection (continued)
COMMAND
rogue-ap
ap_mac description2
no rogue-ap
ap_mac
friendly-ap
ap_mac description2
no friendly-ap
ap_mac
exit show rogue-ap detection monitoring show rogue-ap detection list
{rogue | friendly| all}
DESCRIPTION
Sets the device that owns the specified MAC address as a rogue
AP. You can also assign a description to this entry on the rogue AP list.
Removes the device that owns the specified MAC address from the rogue AP list.
Sets the device that owns the specified MAC address as a friendly
AP. You can also assign a description to this entry on the friendly
AP list.
Removes the device that owns the specified MAC address from the friendly AP list.
Exits configuration mode for rogue AP detection.
Displays a table of detected APs and information about them, such as their MAC addresses, when they were last seen, and their
SSIDs, to name a few.
Displays the specified rogue/friendly/all AP list.
show rogue-ap detection status show rogue-ap detection info
Displays whether rogue AP detection is on or off.
Displays a summary of the number of detected devices from the following categories: rogue, friendly, ad-hoc, unclassified, and total.
9.2.1 Rogue AP Detection Examples
This example sets the device associated with MAC address 00:13:49:11:11:11 as a rogue AP, and the device associated with MAC address 00:13:49:11:11:22 as a friendly AP. It then removes MAC address from the rogue AP list with the assumption that it was misidentified.
Router(config)# rogue-ap detection
Router(config-detection)# rogue-ap 00:13:49:11:11:11 rogue
Router(config-detection)# friendly-ap 00:13:49:11:11:22 friendly
Router(config-detection)# no rogue-ap 00:13:49:11:11:11
Router(config-detection)# exit
This example displays the rogue AP detection list.
Router(config)# show rogue-ap detection list rogue no. mac description contain
===========================================================================
1 00:13:49:18:15:5A 0
66
NWA/WAC Series CLI Reference Guide
This example shows the friendly AP detection list.
Router(config)# show rogue-ap detection list friendly no. mac description
===========================================================================
1 11:11:11:11:11:11 third floor
2 00:13:49:11:22:33
3 00:13:49:00:00:05
4 00:13:49:00:00:01
5 00:0D:0B:CB:39:33 dept1
Chapter 9 Rogue AP
This example shows the combined rogue and friendly AP detection list.
Router(config)# show rogue-ap detection list all no. role mac description
===========================================================================
1 friendly-ap 11:11:11:11:11:11 third floor
2 friendly-ap 00:13:49:11:22:33
3 friendly-ap 00:13:49:00:00:05
4 friendly-ap 00:13:49:00:00:01
5 friendly-ap 00:0D:0B:CB:39:33 dept1
6 rogue-ap 00:13:49:18:15:5A
This example shows both the status of rogue AP detection and the summary of detected APs.
Router(config)# show rogue-ap detection status rogue-ap detection status: on
Router(config)# show rogue-ap detection info rogue ap: 1 friendly ap: 4 adhoc: 4 unclassified ap: 0 total devices: 0
9.3 Rogue AP Containment Overview
These commands enable rogue AP containment. You can use them to isolate a device that is flagged as a rogue AP. They are global in that they apply to all managed APs on the network (all APs utilize the same containment list, but only APs set to monitor mode can actively engage in containment of rogue APs). This means if we add a MAC address of a device to the containment list, then every AP on the network will respect it.
Note: Containing a rogue AP means broadcasting unviable login data at it, preventing legitimate wireless clients from connecting to it. This is a kind of Denial of Service attack.
NWA/WAC Series CLI Reference Guide
67
Chapter 9 Rogue AP
9.4 Rogue AP Containment Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 35
Input Values for Rogue AP Containment Commands
LABEL
ap_mac
DESCRIPTION
Specifies the MAC address (in XX:XX:XX:XX:XX:XX format) of the AP to be contained. The
no
command removes the entry.
The following table describes the commands available for rogue AP containment. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 36
Command Summary: Rogue AP Containment
COMMAND
rogue-ap containment
[no] activate
[no] contain
ap_mac
exit show rogue-ap containment list
DESCRIPTION
Enters sub-command mode for rogue AP containment.
Activates rogue AP containment. Use the no
parameter to deactivate rogue AP containment.
Isolates the device associated with the specified MAC address.
Use the no
parameter to remove this device from the containment list.
Exits configuration mode for rogue AP containment.
Displays the rogue AP containment list.
9.4.1 Rogue AP Containment Example
This example contains the device associated with MAC address 00:13:49:11:11:12 then displays the containment list for confirmation.
Router(config)# rogue-ap containment
Router(config-containment)# activate
Router(config-containment)# contain 00:13:49:11:11:12
Router(config-containment)# exit
Router(config)# show rogue-ap containment list no. mac
=====================================================================
1 00:13:49:11:11:12
68
NWA/WAC Series CLI Reference Guide
C
H A P T E R
1 0
Wireless Frame Capture
This chapter shows you how to configure and use wireless frame capture on the NWA/WAC.
10.1 Wireless Frame Capture Overview
Troubleshooting wireless LAN issues has always been a challenge. Wireless sniffer tools like
Ethereal can help capture and decode packets of information, which can then be analyzed for debugging. It works well for local data traffic, but if your devices are spaced increasingly farther away then it often becomes correspondingly difficult to attempt remote debugging. Complicated wireless packet collection is arguably an arduous and perplexing process. The wireless frame capture feature in the NWA/WAC can help.
This chapter describes the wireless frame capture commands, which allows a network administrator to capture wireless traffic information and download it to an Ethereal/Tcpdump compatible format packet file for analysis.
10.2 Wireless Frame Capture Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 37
Input Values for Wireless Frame Capture Commands
LABEL
ip_address mon_file_size file_name
DESCRIPTION
The IP address of the Access Point (AP) that you want to monitor. Enter a standard IPv4 IP address (for example, 192.168.1.2).
The size ( in kbytes ) of file to be captured.
It stops the capture and generates the capture file when either it reaches this size or the total combined size of all files in the directory reaches the maximum size which is 50 megabytes (51200 kbytes.)
The file name prefix for each captured file. The default prefix is monitor while the default file name is monitor.dump.
You can use 1-31 alphanumeric characters, underscores or dashes but the first character cannot be a number. This string is case sensitive.
69
NWA/WAC Series CLI Reference Guide
Chapter 10 Wireless Frame Capture
The following table describes the commands available for wireless frame capture. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 38
Command Summary: Wireless Frame Capture
COMMAND
frame-capture configure src-ip add
ip_address
file-prefix
file_name
files-size
mon_file_size
exit
[no] frame-capture activate show frame-capture status show frame-capture config
DESCRIPTION
Enters sub-command mode for wireless frame capture.
Sets the IP address of an AP controlled by the NWA/WAC that you want to monitor. You can use this command multiple times to add additional IPs to the monitor list.
Sets the file name prefix for each captured file. Enter up to 31 alphanumeric characters. Spaces and underscores are not allowed.
Sets the size (in kbytes) of files to be captured.
Exits configuration mode for wireless frame capture.
Starts wireless frame capture. Use the no
parameter to turn it off.
Displays whether frame capture is running or not.
Displays the frame capture configuration.
10.2.1 Wireless Frame Capture Examples
This example configures the wireless frame capture parameters for an AP located at IP address
192.168.1.2.
Router(config)# frame-capture configure
Router(frame-capture)# src-ip add 192.168.1.2
Router(frame-capture)# file-prefix monitor
Router(frame-capture)# files-size 1000
Router(frame-capture)# exit
Router(config)#
This example shows frame capture status and configuration.
Router(config)# show frame-capture status capture status: off
Router(config)# show frame-capture config capture source: 192.168.1.2
file prefix: monitor file size: 1000
70
NWA/WAC Series CLI Reference Guide
C
H A P T E R
11
Dynamic Channel Selection
This chapter shows you how to configure and use dynamic channel selection on the NWA/WAC.
11.1 DCS Overview
Dynamic Channel Selection (DCS) is a feature that allows an AP to automatically select the radio channel upon which it broadcasts by passively listening to the area around it and determining what channels are currently being broadcast on by other devices.
When numerous APs broadcast within a given area, they introduce the possibility of heightened radio interference, especially if some or all of them are broadcasting on the same radio channel.
This can make accessing the network potentially rather difficult for the stations connected to them.
If the interference becomes too great, then the network administrator must open his AP configuration options and manually change the channel to one that no other AP is using (or at least a channel that has a lower level of interference) in order to give the connected stations a minimum degree of channel interference.
11.2 DCS Commands
See Section 8.2 on page 50 for detailed information about how to configure DCS settings in a radio
profile.
The following table describes the commands available for dynamic channel selection. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 39
Command Summary: DCS
COMMAND
dcs now
DESCRIPTION
Sets the NWA/WAC to scan for and select an available channel immediately.
71
NWA/WAC Series CLI Reference Guide
C
H A P T E R
1 2
Wireless Load Balancing
This chapter shows you how to configure wireless load balancing.
12.1 Wireless Load Balancing Overview
Wireless load balancing is the process whereby you limit the number of connections allowed on an wireless access point (AP) or you limit the amount of wireless traffic transmitted and received on it.
Because there is a hard upper limit on the AP’s wireless bandwidth, this can be a crucial function in areas crowded with wireless users. Rather than let every user connect and subsequently dilute the available bandwidth to the point where each connecting device receives a meager trickle, the load balanced AP instead limits the incoming connections as a means to maintain bandwidth integrity.
12.2 Wireless Load Balancing Commands
The following table describes the commands available for wireless load balancing. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 40
Command Summary: Load Balancing
COMMAND
[no] load-balancing kickout load-balancing mode {station | traffic | smartclassroom} load-balancing max sta <1..127> load-balancing traffic level {high | low | medium}
DESCRIPTION
Enables an overloaded AP to disconnect (“kick”) idle clients or clients with noticeably weak connections.
Enables load balancing based on either number of stations (also known as wireless clients) or wireless traffic on an AP.
station
or
traffic
: once the threshold is crossed (either the maximum station numbers or with network traffic), the NWA/
WAC delays association request and authentication request packets from any new station that attempts to make a connection.
smart-classroom
: the NWA/WAC ignores association request and authentication request packets from any new station when the maximum number of stations is reached.
If load balancing by the number of stations/wireless clients, this sets the maximum number of devices allowed to connect to a load-balanced AP.
If load balancing by traffic threshold, this sets the traffic threshold level.
72
NWA/WAC Series CLI Reference Guide
Chapter 12 Wireless Load Balancing
Table 40
Command Summary: Load Balancing (continued)
COMMAND
load-balancing alpha <1..255>
DESCRIPTION
Sets the load balancing alpha value.
When the AP is balanced, then this setting delays a client’s association with it by this number of seconds.
load-balancing beta <1..255> load-balancing sigma <51..100> load-balancing timeout <1..255> load-balancing liInterval <1..255> load-balancing kickInterval <1..255> show load-balancing config show load-balancing loading
[no] load-balancing activate
Note: This parameter has been optimized for the NWA/WAC and should not be changed unless you have been specifically directed to do so by ZyXEL support.
Sets the load balancing beta value.
When the AP is overloaded, then this setting delays a client’s association with it by this number of seconds.
Note: This parameter has been optimized for the NWA/WAC and should not be changed unless you have been specifically directed to do so by ZyXEL support.
Sets the load balancing sigma value.
This value is algorithm parameter used to calculate whether an
AP is considered overloaded, balanced, or underloaded. It only applies to ‘by traffic mode’.
Note: This parameter has been optimized for the NWA/WAC and should not be changed unless you have been specifically directed to do so by ZyXEL support.
Sets the length of time that an AP retains load balancing information it receives from other APs within its range.
Sets the interval in seconds that each AP communicates with the other APs in its range for calculating the load balancing algorithm.
Note: This parameter has been optimized for the NWA/WAC and should not be changed unless you have been specifically directed to do so by ZyXEL support.
Enables the kickout feature for load balancing and also sets the kickout interval in seconds. While load balancing is enabled, the
AP periodically disconnects stations at intervals equal to this setting.
This occurs until the load balancing threshold is no longer exceeded.
Displays the load balancing configuration.
Displays the loading status per radio (underload / balance / overload) when you enable the load balancing fuction.
Enables load balancing. Use the no
parameter to disable it.
NWA/WAC Series CLI Reference Guide
73
Chapter 12 Wireless Load Balancing
12.2.1 Wireless Load Balancing Examples
The following example shows you how to configure AP load balancing in "by station" mode. The maximum number of stations is set to 1.
Router(config)# load-balancing mode station
Router(config)# load-balancing max sta 1
Router(config)# show load-balancing config load balancing config:
Activate: yes
Kickout: no
Mode: station
Max-sta: 1
Traffic-level: high
Alpha: 5
Beta: 10
Sigma: 60
Timeout: 20
LIInterval: 10
KickoutInterval: 20
The following example shows you how to configure AP load balancing in "by traffic" mode. The traffic level is set to low, and "disassociate station" is enabled.
Router(config)# load-balancing mode traffic
Router(config)# load-balancing traffic level low
Router(config)# load-balancing kickout
Router(config)# show load-balancing config load balancing config:
Activate: yes
Kickout: yes
Mode: traffic
Max-sta: 1
Traffic-level: low
Alpha: 5
Beta: 10
Sigma: 60
Timeout: 20
LIInterval: 10
KickoutInterval: 20
74
NWA/WAC Series CLI Reference Guide
C
H A P T E R
1 3
Certificates
This chapter explains how to use the certificates.
13.1 Certificates Overview
The NWA/WAC can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the NWA/WAC to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority.
13.2 Certificate Commands
This section describes the commands for configuring certificates.
13.3 Certificates Commands Input Values
The following table explains the values you can input with the certificate
commands.
Table 41
Certificates Commands Input Values
LABEL
certificate_name cn_address cn_domain_name cn_email
DESCRIPTION
The name of a certificate. You can use up to 31 alphanumeric and
;‘~!@#$%^&()_+[]{}’,.=characters.
A common name IP address identifies the certificate’s owner. Type the IP address in dotted decimal notation.
A common name domain name identifies the certificate’s owner. The domain name is for identification purposes only and can be any string. The domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods.
A common name e-mail address identifies the certificate’s owner. The e-mail address is for identification purposes only and can be any string. The e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.
75
NWA/WAC Series CLI Reference Guide
Chapter 13 Certificates
Table 41
Certificates Commands Input Values (continued)
LABEL
organizational_unit organization country key_length password ca_name url
DESCRIPTION
Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Identify the nation where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.
Type a number to determine how many bits the key should use (512 to 2048).
The longer the key, the more secure it is. A longer key also uses more PKI storage space.
When you have the NWA/WAC enroll for a certificate immediately online, the certification authority may want you to include a key (password) to identify your certification request. Use up to 31 of the following characters. a-zA-Z0-
9;|`~!@#$%^&*()_+\{}':,./<>=-
When you have the NWA/WAC enroll for a certificate immediately online, you must have the certification authority’s certificate already imported as a trusted certificate. Specify the name of the certification authority’s certificate. It can be up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=characters.
When you have the NWA/WAC enroll for a certificate immediately online, enter the IP address (or URL) of the certification authority server. You can use up to
511 of the following characters. a-zA-Z0-9'()+,/:.=?;!*#@$_%-
13.4 Certificates Commands Summary
The following table lists the commands that you can use to display and manage the NWA/WAC’s summary list of certificates and certification requests. You can also create certificates or certification requests. Use the configure terminal
command to enter the configuration mode to be able to use these commands.
Table 42
ca Commands Summary
COMMAND
ca enroll cmp name
certificate_name
cn-type {ip cn
cn_address
|fqdn cn
cn_domain_name
|mail cn
cn_email
}
[ou
organizational_unit
] [o
organization
] [c
country
] key-type {rsa|dsa} key-len
key_length
num
<0..99999999> password
password
ca
ca_name
url
url
; ca generate pkcs10 name
certificate_name
cn-type {ip cn
cn_address
|fqdn cn
cn_domain_name
|mail cn
cn_email
} [ou
organizational_unit
] [o
organization
]
[c
country
] key-type {rsa|rsa-sha256|rsasha512|dsa|dsa-sha256} key-len
key_length
[extendkey {svr-client-ike |svr-client|svr-ike|svr|clientike|client |ike}]
DESCRIPTION
Enrolls a certificate with a CA using Certificate Management
Protocol (CMP). The certification authority may want you to include a reference number and key (password) to identify your certification request. ca enroll scep name
certificate_name
cn-type {ip cn
cn_address
|fqdn cn
cn_domain_name
|mail cn
cn_email
}
[ou
organizational_unit
] [o
organization
] [c
country
] key-type {rsa|dsa} key-len
key_length
password
password
ca
ca_name
url
url
Enrolls a certificate with a CA using Simple Certificate
Enrollment Protocol (SCEP). The certification authority may want you to include a key (password) to identify your certification request.
Generates a PKCS#10 certification request.
ca generate pkcs12 name
name
password
password
Generates a PKCS#12 certificate.
76
NWA/WAC Series CLI Reference Guide
Chapter 13 Certificates
Table 42
ca Commands Summary (continued)
COMMAND DESCRIPTION
Generates a self-signed x509 certificate.
ca generate x509 name
certificate_name
cn-type {ip cn
cn_address
|fqdn cn
cn_domain_name
|mail cn
cn_email
} [ou
organizational_unit
] [o
organization
]
[c
country
] key-type {rsa|rsa-sha256|rsasha512|dsa|dsa-sha256} key-len
key_length
[extendkey {svr-client-ike |svr-client|svr-ike|svr|clientike|client |ike}] ca rename category {local|remote}
old_name new_name
Renames a local (my certificates) or remote (trusted certificates) certificate.
ca validation
remote_certificate
Enters the sub command mode for validation of certificates signed by the specified remote (trusted) certificates.
no ca category {local|remote} no ca validation
name
certificate_name
Deletes the specified local (my certificates) or remote
(trusted certificates) certificate.
Removes the validation configuration for the specified remote (trusted) certificate.
show ca category {local|remote} name
certificate_name
certpath show ca category {local|remote} [name
certificate_name
format {text|pem}] show ca validation name show ca spaceusage
name
Displays the certification path of the specified local (my certificates) or remote (trusted certificates) certificate.
Displays a summary of the certificates in the specified category (local for my certificates or remote for trusted certificates) or the details of a specified certificate.
Displays the validation configuration for the specified remote (trusted) certificate.
Displays the storage space in use by certificates.
13.5 Certificates Commands Examples
The following example creates a self-signed X.509 certificate with IP address 10.0.0.58 as the common name. It uses the RSA key type with a 512 bit key. Then it displays the list of local certificates. Finally it deletes the pkcs12request certification request.
Router# configure terminal
Router(config)# ca generate x509 name test_x509 cn-type ip cn 10.0.0.58 key-type rsa key-len 512
Router(config)# show ca category local certificate: default
type: SELF
subject: CN=nwa3160-n_00134905820A
issuer: CN=nwa3160-n_00134905820A
status: EXPIRED
ID: nwa3160-n_00134905820A
type: EMAIL
valid from: 1970-01-01 02:09:16 GMT
valid to: 1989-12-27 02:09:16 GMT
Router(config)# no ca category local pkcs12request
NWA/WAC Series CLI Reference Guide
77
C
H A P T E R
1 4
System
This chapter provides information on the commands that correspond to what you can configure in the system screens.
14.1 System Overview
Use these commands to configure general NWA/WAC information, the system time and the console port connection speed for a terminal emulation program. They also allow you to configure DNS settings and determine which services/protocols can access which NWA/WAC zones (if any) from which computers.
14.2 Host Name Commands
The following table describes the commands available for the hostname and domain name. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 43
Command Summary: Host Name
COMMAND
[no] domainname <
domain_name>
[no] hostname <
hostname>
show fqdn
DESCRIPTION
Sets the domain name. The domain name.
no
command removes the
domain_name
: This name can be up to 254 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores “_” are accepted.
Sets a descriptive name to identify your NWA/WAC. The command removes the host name.
no
Displays the fully qualified domain name.
14.3 Time and Date
For effective scheduling and logging, the NWA/WAC system time must be accurate. There is also a software mechanism to set the time manually or get the current time and date from an external server.
78
NWA/WAC Series CLI Reference Guide
Chapter 14 System
14.3.1 Date/Time Commands
The following table describes the commands available for date and time setup.
You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 44
Command Summary: Date/Time
COMMAND
clock date <
yyyy-mm-dd>
time <
hh:mm:ss>
[no] clock daylight-saving
[no] clock saving-interval begin
{apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep}
{1|2|3|4|last} {fri|mon|sat|sun|thu|tue|wed}
hh:mm
end {apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep}
{1|2|3|4|last} {fri|mon|sat|sun|thu|tue|wed}
hh:mm
offset
DESCRIPTION
Sets the new date in year, month and day format manually and the new time in hour, minute and second format.
Enables daylight saving. The daylight saving.
no
command disables
Configures the day and time when Daylight Saving Time starts and ends. The no
command removes the day and time when Daylight Saving Time starts and ends.
offset: a number from 1 to 5.5 (by 0.5 increments) clock time
hh:mm:ss
[no] clock time-zone {-|+
hh:mm
}
[no] ntp
[no] ntp server {
fqdn
|
w.x.y.z
} ntp sync show clock date show clock status show clock time show ntp server
Sets the new time in hour, minute and second format.
Sets your time zone. The zone settings.
no
command removes time
Saves your date and time and time zone settings and updates the data and time every 24 hours. The no command stops updating the data and time every 24 hours.
Sets the IP address or URL of your NTP time server. The no
command removes time server information.
Gets the time and date from a NTP time server.
Displays the current date of your NWA/WAC.
Displays your time zone and daylight saving settings.
Displays the current time of your NWA/WAC.
Displays time server settings.
14.4 Console Port Speed
This section shows you how to set the console port speed when you connect to the NWA/WAC via the console port using a terminal emulation program. The following table describes the console port commands.
You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 45
Command Summary: Console Port Speed
COMMAND
[no] console baud
baud_rate
show console
DESCRIPTION
Sets the speed of the console port. The the console port speed to the default ( no
command resets
115200
).
baud_rate
: 9600, 19200, 38400, 57600 or 115200.
Displays console port speed.
NWA/WAC Series CLI Reference Guide
79
Chapter 14 System
14.5 DNS Overview
DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
14.5.1 DNS Commands
The following table identifies the values required for many of these commands. Other input values are discussed with the corresponding commands.
Table 46
Input Values for General DNS Commands
LABEL
address_object interface_name
DESCRIPTION
The name of the IP address (group) object. You may use 1-31 alphanumeric characters, underscores(
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
The name of the interface.
Ethernet interface: ge
x
,
x
= 1 - N, where N equals the highest numbered Ethernet interface for your NWA/WAC model.
VLAN interface: vlan
x
,
x
= 0 - 511.
The following table describes the commands available for DNS. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 47
Command Summary: DNS
COMMAND
[no] ip dns server a-record
fqdn w.x.y.z
ip dns server cache-flush
[no] ip dns server mx-record
domain_name
{
w.x.y.z
|
fqdn
}
DESCRIPTION
Sets an A record that specifies the mapping of a fully qualified domain name (FQDN) to an IP address. The no command deletes an A record.
Clears the DNS server cache.
Sets a MX record that specifies a mail server that is responsible for handling the mail for a particular domain.
The no
command deletes a MX record.
Sets a service control rule for DNS requests.
ip dns server rule {<1..32>|append|insert <1..32>} access-group {ALL|
profile_name
} zone
{ALL|
profile_name
} action {accept|deny} ip dns server rule move <1..32> to <1..32> ip dns server zone-forwarder {<1..32>|append|insert
<1..32>} {
domain_zone_name
|*} user-defined
w.x.y.z
[private | interface {
interface_name
| auto}] ip dns server zone-forwarder move <1..32> to <1..32> no ip dns server rule <1..32> show ip dns server database show ip dns server status
Changes the number of a service control rule.
Sets a domain zone forwarder record that specifies a DNS server’s IP address. private | interface
: Use private
if the NWA/WAC connects to the DNS server through a VPN tunnel.
Otherwise, use the interface command to set the interface through which the NWA/WAC sends DNS queries to a DNS server. The auto
means any interface that the
NWA/WAC uses to send DNS queries to a DNS server according to the routing rule.
Changes the index number of a zone forwarder record.
Deletes a service control rule.
Displays all configured records.
Displays whether this service is enabled or not.
80
NWA/WAC Series CLI Reference Guide
Chapter 14 System
14.5.2 DNS Command Example
This command sets an A record that specifies the mapping of a fully qualified domain name
(www.abc.com) to an IP address (210.17.2.13).
Router# configure terminal
Router(config)# ip dns server a-record www.abc.com 210.17.2.13
NWA/WAC Series CLI Reference Guide
81
C
H A P T E R
1 5
System Remote Management
This chapter shows you how to determine which services/protocols can access which NWA/WAC zones (if any) from which computers.
Note: To allow the NWA/WAC to be accessed from a specified computer using a service, make sure you do not have a service control rule or to-NWA/WAC rule to block that traffic.
15.1 System Timeout
There is a lease timeout for administrators. The NWA/WAC automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Each user is also forced to log in the NWA/WAC for authentication again when the reauthentication time expires.
15.2 HTTP/HTTPS Commands
The following table describes the commands available for HTTP/HTTPS. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 48
Command Summary: HTTP/HTTPS
COMMAND
[no] ip http authentication
auth_method
[no] ip http port <1..65535>
[no] ip http secure-port <1..65535>
DESCRIPTION
Sets an authentication method used by the HTTP/HTTPS server. The default ( no
command resets the authentication method used by the HTTP/HTTPS server to the factory default
).
auth_method
: The name of the authentication method.
You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Sets the HTTP service port number. The default (80).
no
command resets the HTTP service port number to the factory
Sets the HTTPS service port number. The default (443).
no
command resets the HTTPS service port number to the factory
82
NWA/WAC Series CLI Reference Guide
Chapter 15 System Remote Management
Table 48
Command Summary: HTTP/HTTPS (continued)
COMMAND
[no] ip http secure-server
[no] ip http secure-server auth-client
[no] ip http secure-server cert
certificate_name
[no] ip http secure-server force-redirect ip http secure-server cipher-suite {
cipher_algorithm
}
[
cipher_algorithm
] [
cipher_algorithm
]
[
cipher_algorithm
]
DESCRIPTION
Enables HTTPS access to the NWA/WAC web configurator.
The no
command disables HTTPS access to the NWA/
WAC web configurator.
Sets the client to authenticate itself to the HTTPS server.
The no
command sets the client not to authenticate itself to the HTTPS server.
Specifies a certificate used by the HTTPS server. The to the factory default ( default
).
no command resets the certificate used by the HTTPS server
certificate_name
: The name of the certificate. You can use up to 31 alphanumeric and
;‘~!@#$%^&()_+[]{}’,.=characters.
Redirects all HTTP connection requests to a HTTPS URL.
The no
command disables forwarding HTTP connection requests to a HTTPS URL.
Sets the encryption algorithms (up to four) that the
NWA/WAC uses for the SSL in HTTPS connections and the sequence in which it uses them. The
cipher_algorithm
can be any of the following.
rc4
: RC4 (RC4 may impact the NWA/WAC’s CPU performance since the NWA/WAC’s encryption accelerator does not support it).
no ip http secure-server cipher-suite
{
cipher_algorithm
}
[no] ip http server show ip http server status show ip http server secure status aes
: AES des
: DES
3des
: Triple DES.
Has the NWA/WAC not use the specified encryption algorithm for the SSL in HTTPS connections.
Allows HTTP access to the NWA/WAC web configurator.
The no
command disables HTTP access to the NWA/WAC web configurator.
Displays HTTP settings.
Displays HTTPS settings.
15.2.1 HTTP/HTTPS Command Examples
This command sets an authentication method used by the HTTP/HTTPS server to authenticate the client(s).
Router# configure terminal
Router(config)# ip http authentication Example
This following example sets a certificate named MyCert used by the HTTPS server to authenticate itself to the SSL client.
Router# configure terminal
Router(config)# ip http secure-server cert MyCert
NWA/WAC Series CLI Reference Guide
83
Chapter 15 System Remote Management
15.3 SSH
Unlike Telnet or FTP, which transmit data in clear text, SSH (Secure Shell) is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network.
15.3.1 SSH Implementation on the NWA/WAC
Your NWA/WAC supports SSH versions 1 and 2 using RSA authentication and four encryption methods (AES, 3DES, Archfour, and Blowfish). The SSH server is implemented on the NWA/WAC for remote management on port 22 (by default).
15.3.2 Requirements for Using SSH
You must install an SSH client program on a client computer (Windows or Linux operating system) that is used to connect to the NWA/WAC over SSH.
15.3.3 SSH Commands
The following table describes the commands available for SSH. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 49
Command Summary: SSH
COMMAND
[no] ip ssh server
[no] ip ssh server cert
certificate_name
[no] ip ssh server port <1..65535>
[no] ip ssh server v1 show ip ssh server status
DESCRIPTION
Allows SSH access to the NWA/WAC CLI. The no command disables SSH access to the NWA/WAC CLI.
Sets a certificate whose corresponding private key is to be used to identify the NWA/WAC for SSH connections.
The no
command resets the certificate used by the SSH server to the factory default ( default
).
certificate_name
: The name of the certificate. You can use up to 31 alphanumeric and
;‘~!@#$%^&()_+[]{}’,.=characters.
Sets the SSH service port number. The no
command resets the SSH service port number to the factory default
(22).
Enables remote management using SSH v1. The no command stops the NWA/WAC from using SSH v1.
Displays SSH settings.
15.3.4 SSH Command Examples
This command sets a certificate (Default) to be used to identify the NWA/WAC.
Router# configure terminal
Router(config)# ip ssh server cert Default
84
NWA/WAC Series CLI Reference Guide
Chapter 15 System Remote Management
15.4 Telnet
You can configure your NWA/WAC for remote Telnet access.
15.5 Telnet Commands
The following table describes the commands available for Telnet. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 50
Command Summary: Telnet
COMMAND
[no] ip telnet server
[no] ip telnet server port <1..65535> show ip telnet server status
DESCRIPTION
Allows Telnet access to the NWA/WAC CLI. The no command disables Telnet access to the NWA/WAC CLI.
Sets the Telnet service port number. The default (23).
no
command resets the Telnet service port number back to the factory
Displays Telnet settings.
15.5.1 Telnet Commands Examples
This command displays Telnet settings.
Router# configure terminal
Router(config)# show ip telnet server status active : yes port : 23 service control:
No. Zone Address Action
========================================================================
Router(config)#
15.6 Configuring FTP
You can upload and download the NWA/WAC’s firmware and configuration files using FTP. To use this feature, your computer must have an FTP client.
NWA/WAC Series CLI Reference Guide
85
Chapter 15 System Remote Management
15.6.1 FTP Commands
The following table describes the commands available for FTP.
You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 51
Command Summary: FTP
COMMAND
[no] ip ftp server
[no] ip ftp server cert
certificate_name
[no] ip ftp server port <1..65535>
[no] ip ftp server tls-required show ip ftp server status
DESCRIPTION
Allows FTP access to the NWA/WAC. The disables FTP access to the NWA/WAC.
no
command
Sets a certificate to be used to identify the NWA/WAC.
The no
command resets the certificate used by the FTP server to the factory default.
Sets the FTP service port number. The
(21).
no
command resets the FTP service port number to the factory default
Allows FTP access over TLS. The
FTP access over TLS.
no
command disables
Displays FTP settings.
15.6.2 FTP Commands Examples
This command displays FTP settings.
Router# configure terminal
Router(config)# show ip ftp server status active : yes port : 21 certificate: default
TLS : no service control:
No. Zone Address Action
========================================================================
15.7 SNMP
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your NWA/WAC supports SNMP agent functionality, which allows a manager station to manage and monitor the NWA/WAC through the network. The NWA/WAC supports SNMP version one (v1) and version three (v3).
15.7.1 Supported MIBs
The NWA/WAC supports MIB II that is defined in RFC-1213 and RFC-1215. The NWA/WAC also supports private MIBs (ZYXEL-ES-SMI.MIB, ZYXEL-ES-CAPWAP.MIB, ZYXEL-ES-COMMON.MIB,
ZYXEL-ES-HybridAP.MIB, ZYXEL-ES-ProWLAN.MIB, ZYXEL-ES-RFMGMT.MIB and ZYXEL-ES-
WIRELESS.MIB) to collect information about CPU and memory usage. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. You can download the
NWA/WAC’s MIBs from www.zyxel.com.
86
NWA/WAC Series CLI Reference Guide
Chapter 15 System Remote Management
15.7.2 SNMP Traps
The NWA/WAC will send traps to the SNMP manager when any one of the following events occurs:
Table 52
SNMP Traps
OBJECT LABEL
Cold Start linkDown linkUp authenticationFailure
OBJECT ID DESCRIPTION
1.3.6.1.6.3.1.1.5.1
This trap is sent when the NWA/WAC is turned on or an agent restarts.
1.3.6.1.6.3.1.1.5.3
This trap is sent when the Ethernet link is down.
1.3.6.1.6.3.1.1.5.4
This trap is sent when the Ethernet link is up.
1.3.6.1.6.3.1.1.5.5
This trap is sent when an SNMP request comes from nonauthenticated hosts.
15.7.3 SNMP Commands
The following table describes the commands available for SNMP.
You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 53
Command Summary: SNMP
COMMAND
[no] snmp-server version <v2c|v3>
[no] snmp-server host {
fqdn
|
w.x.y.z
}
[
community_string
]
[no] snmp-server enable traps {wireless|capwap} snmp-server v3user username <
username
> authentication
<none|MD5|SHA> privacy <none|DES|AES> privilege
<ro|rw>
DESCRIPTION
Sets the SNMP version support. The no
command removes the SNMP version support.
Sets the domain name or IP address of the host that receives the SNMP notifications. The no
command removes the host that receives the SNMP notifications.
Sets the trap control to receive the wireless/capwap trap notifications. The no
command removes the wireless/ capwap trap notifications.
Sets the SNMPv3 user account and its privilege of readonly (ro) or read-write (rw) access. no snmp-server v3user username <username> show snmp status show snmp-server v3user status
[no] snmp-server
[no] snmp-server community
community_string
{ro|rw}
[no] snmp-server contact
description
[no] snmp-server enable {informs|traps}
The no
command removes the SNMPv3 user account.
Displays SNMP settings.
Displays SNMPv3 user status.
Allows SNMP access to the NWA/WAC. The disables SNMP access to the NWA/WAC.
no
command
Enters up to 64 characters to set the password for readonly (ro) or read-write (rw) access. The resets the password for read-only ( ro no
command
) or read-write
( rw
) access to the default.
Sets the contact information (of up to 60 characters) for the person in charge of the NWA/WAC. The no
command removes the contact information for the person in charge of the NWA/WAC.
Enables all SNMP notifications (informs or traps). The command disables all SNMP notifications (informs or traps).
no
NWA/WAC Series CLI Reference Guide
87
Chapter 15 System Remote Management
Table 53
Command Summary: SNMP (continued)
COMMAND
[no] snmp-server location
description
[no] snmp-server port <1..65535>
DESCRIPTION
Sets the geographic location (of up to 60 characters) for the NWA/WAC. The no
command removes the geographic location for the NWA/WAC.
Sets the SNMP service port number. The default (
161
).
no
command resets the SNMP service port number to the factory
88
NWA/WAC Series CLI Reference Guide
C
H A P T E R
1 6
AAA Server
This chapter introduces and shows you how to configure the NWA/WAC to use external authentication servers.
16.1 AAA Server Overview
You can use an AAA (Authentication, Authorization, Accounting) server to provide access control to your network.
The following lists the types of authentication server the NWA/WAC supports.
• Local user database
The NWA/WAC uses the built-in local user database to authenticate administrative users logging into the NWA/WAC’s web configurator or network access users logging into the network through the NWA/WAC. You can also use the local user database to authenticate VPN users.
• Directory Service (LDAP/AD)
LDAP (Lightweight Directory Access Protocol)/AD (Active Directory) is a directory service that is both a directory and a protocol for controlling access to a network. The directory consists of a database specialized for fast information retrieval and filtering activities. You create and store user profile and login information on the external server.
• RADIUS
RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external or built-in RADIUS server. RADIUS authentication allows you to validate a large number of users from a central location.
16.2 Authentication Server Command Summary
This section describes the commands for authentication server settings.
16.2.1 radius-server Commands
The following table lists the radius-server commands you use to set the default RADIUS server.
Table 54
radius-server Commands
COMMAND
show radius-server
[no] radius-server host
radius_server
auth-port
auth_port
DESCRIPTION
Displays the default RADIUS server settings.
Sets the RADIUS server address and service port number. Enter the IP address (in dotted decimal notation) or the domain name of a RADIUS server. The no
command clears the settings.
NWA/WAC Series CLI Reference Guide
89
Chapter 16 AAA Server
Table 54
radius-server Commands (continued)
COMMAND
[no] radius-server key
secret
[no] radius-server timeout
time
DESCRIPTION
Sets a password (up to 15 alphanumeric characters) as the key to be shared between the RADIUS server and the NWA/WAC.
The no
command clears this setting.
Sets the search timeout period (in seconds). Enter a number between 1 and 300. The no
command clears this setting.
16.2.2 radius-server Command Example
The following example sets the secret key and timeout period of the default RADIUS server
(172.23.10.100) to “87643210” and 80 seconds.
Router# configure terminal
Router(config)# radius-server host 172.23.10.100 auth-port 1812
Router(config)# radius-server key 876543210
Router(config)# radius-server timeout 80
Router(config)# show radius-server host : 172.23.10.100
authentication port: 1812 key : 876543210 timeout : 80
Router(config)#
16.2.3 aaa group server ad Commands
The following table lists the aaa group server ad commands you use to configure a group of
AD servers.
Table 55
aaa group server ad Commands
COMMAND DESCRIPTION
clear aaa group server ad [
group-name
]
Deletes all AD server groups or the specified AD server group. show aaa group server ad
group-name
[no] aaa group server ad
group-name
aaa group server ad rename
group-name group-name
Note: You can NOT delete a server group that is currently in use.
Displays the specified AD server group settings.
Sets a descriptive name for an AD server group. Use this command to enter the sub-command mode.
The no
command deletes the specified server group.
Changes the descriptive name for an AD server group. aaa group server ad
group-name
[no] server alternative-cnidentifier
uid
[no] server basedn
basedn
[no] server binddn
binddn
[no] server cn-identifier
uid
Enter the sub-command mode to configure an AD server group.
Sets the second type of identifier that the users can use to log in if any. For example “name” or “e-mail address”. The command clears this setting.
no
Sets the base DN to point to the AD directory on the AD server group. The no
command clears this setting.
Sets the user name the NWA/WAC uses to log into the AD server group. The no
command clears this setting.
Sets the user name the NWA/WAC uses to log into the AD server group. The no
command clears this setting.
90
NWA/WAC Series CLI Reference Guide
Chapter 16 AAA Server
Table 55
aaa group server ad Commands (continued)
COMMAND
[no] server description
description
[no] server group-attribute
group-attribute
[no] server host
ad_server
[no] server password
password
[no] server domain-auth activate server domain-auth username
[username] password [password]
DESCRIPTION
Sets the descriptive information for the AD server group. You can use up to 60 printable ASCII characters. The clears the setting.
no
command
Sets the name of the attribute that the NWA/WAC is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values.
For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create an ext-group-user user object for each group. One with “sales” as the group identifier, another for
“RD” and a third for “management”. The the setting.
no
command clears
Enter the IP address (in dotted decimal notation) or the domain name of an AD server to add to this group. The command clears this setting. no
Sets the bind password (up to 15 alphanumerical characters).
The no
command clears this setting.
Activates server domain authentication. The no parameter deactivates it.
Sets the user name and password for domain authentication.
server domain-auth realm [realm]
[no] server port
port_no
[no] server search-time-limit
time
[no] server ssl
Sets the realm for domain authentication.
Sets the AD port number. Enter a number between 1 and
65535. The default is 389. The no
command clears this setting.
Sets the search timeout period (in seconds). Enter a number between 1 and 300. The no
command clears this setting and set this to the default setting of 5 seconds.
Enables the NWA/WAC to establish a secure connection to the
AD server. The no
command disables this feature.
16.2.4 aaa group server ldap Commands
The following table lists the aaa group server ldap
LDAP servers. commands you use to configure a group of
Table 56
aaa group server ldap Commands
COMMAND
clear aaa group server ldap [
groupname
]
DESCRIPTION
Deletes all LDAP server groups or the specified LDAP server group.
Note: You can NOT delete a server group that is currently in use.
show aaa group server ldap
group-name
Displays the specified LDAP server group settings.
[no] aaa group server ldap
group-name
Sets a descriptive name for an LDAP server group. Use this command to enter the sub-command mode.
The no
command deletes the specified server group.
NWA/WAC Series CLI Reference Guide
91
Chapter 16 AAA Server
Table 56
aaa group server ldap Commands (continued)
COMMAND
aaa group server ldap rename
groupname group-name
DESCRIPTION
Changes the descriptive name for an LDAP server group. aaa group server ldap
group-name
[no] server alternative-cnidentifier
uid
[no] server basedn
basedn
[no] server binddn
binddn
[no] server cn-identifier
uid
[no] server description
description
[no] server group-attribute
group-attribute
Enter the sub-command mode.
Sets the second type of identifier that the users can use to log in if any. For example “name” or “e-mail address”. The command clears this setting.
no
Sets the base DN to point to the LDAP directory on the LDAP server group. The no
command clears this setting.
Sets the user name the NWA/WAC uses to log into the LDAP server group. The no
command clears this setting.
Sets the user name the NWA/WAC uses to log into the LDAP server group. The no
command clears this setting.
Sets the descriptive information for the LDAP server group.
You can use up to 60 printable ASCII characters. The command clears this setting.
no
Sets the name of the attribute that the NWA/WAC is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values.
[no] server host
ldap_server
[no] server password
password
[no] server port
port_no
[no] server search-time-limit
time
[no] server ssl
For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create an ext-group-user user object for each group. One with “sales” as the group identifier, another for
“RD” and a third for “management”. The the setting.
no
command clears
Enter the IP address (in dotted decimal notation) or the domain name of an LDAP server to add to this group. The command clears this setting. no
Sets the bind password (up to 15 characters). The command clears this setting. no
Sets the LDAP port number. Enter a number between 1 and
65535. The default is 389. The setting. no
command clears this
Sets the search timeout period (in seconds). Enter a number between 1 and 300. The no
command clears this setting and set this to the default setting of 5 seconds.
Enables the NWA/WAC to establish a secure connection to the
LDAP server. The no
command disables this feature.
92
NWA/WAC Series CLI Reference Guide
Chapter 16 AAA Server
16.2.5 aaa group server radius Commands
The following table lists the aaa group server radius commands you use to configure a group of RADIUS servers.
Table 57
aaa group server radius Commands
COMMAND
clear aaa group server radius
groupname
DESCRIPTION
Deletes all RADIUS server groups or the specified RADIUS server group.
Note: You can NOT delete a server group that is currently in use.
Displays the specified RADIUS server group settings. show aaa group server radius
groupname
[no] aaa group server radius
groupname
aaa group server radius rename {
groupname-old
}
group-name-new
Sets a descriptive name for the RADIUS server group. The command deletes the specified server group. no
Sets the server group name.
aaa group server radius
group-name
[no] server description
description
[no] server group-attribute <1-
255>
[no] server host
radius_server
[no] server key
secret
[no] server timeout
time
Enter the sub-command mode.
Sets the descriptive information for the RADIUS server group.
You can use up to 60 printable ASCII characters. The no command clears the setting.
Sets the value of an attribute that the NWA/WAC is used to determine to which group a user belongs.
This attribute’s value is called a group identifier. You can add
ext-group-user
user objects to identify groups based on different group identifier values.
For example, you could configure attributes 1,10 and 100 and create a
ext-group-user
user object for each of them. The no
command clears the setting.
Enter the IP address (in dotted decimal notation) or the domain name of a RADIUS server to add to this server group.
The no
command clears this setting.
Sets a password (up to 15 alphanumeric characters) as the key to be shared between the RADIUS server(s) and the NWA/
WAC. The no
command clears this setting.
Sets the search timeout period (in seconds). Enter a number between 1 and 300. The no
command clears this setting and set this to the default setting of 5 seconds.
NWA/WAC Series CLI Reference Guide
93
Chapter 16 AAA Server
16.2.6 aaa group server Command Example
The following example creates a RADIUS server group with two members and sets the secret key to
“12345678” and the timeout to 100 seconds. Then this example also shows how to view the
RADIUS group settings.
Router# configure terminal
Router(config)# aaa group server radius RADIUSGroup1
Router(group-server-radius)# server host 192.168.1.100 auth-port 1812
Router(group-server-radius)# server host 172.23.22.100 auth-port 1812
Router(group-server-radius)# server key 12345678
Router(group-server-radius)# server timeout 100
Router(group-server-radius)# exit
Router(config)# show aaa group server radius RADIUSGroup1 key : 12345678 timeout : 100 description : group attribute : 11
No. Host Member Auth. Port
==========================================================================
1 192.168.1.100 1812
2 172.23.22.100 1812
94
NWA/WAC Series CLI Reference Guide
C
H A P T E R
1 7
Authentication Objects
This chapter shows you how to select different authentication methods for user authentication using the AAA servers or the internal user database.
17.1 Authentication Objects Overview
After you have created the AAA server objects, you can specify the authentication objects
(containing the AAA server information) that the NWA/WAC uses to authenticate users (such as managing through HTTP/HTTPS or Captive Portal).
17.2 aaa authentication Commands
The following table lists the aaa authentication commands you use to configure an authentication profile.
Table 58
aaa authentication Commands
COMMAND DESCRIPTION
Changes the profile name.
aaa authentication rename
profile-name-old profile-namenew
clear aaa authentication
profilename profile-name
: You may use 1-31 alphanumeric characters, underscores(
_
), or dashes (-), but the first character cannot be a number. This value is case-sensitive.
Deletes all authentication profiles or the specified authentication profile. show aaa authentication {
groupname
|default}
Note: You can NOT delete a profile that is currently in use.
Displays the specified authentication server profile settings.
[no] aaa authentication
profilename
[no] aaa authentication {
profilename
} local
Sets a descriptive name for the authentication profile. The command deletes a profile. no
Creates an authentication profile to authenticate users using the local user database
95
NWA/WAC Series CLI Reference Guide
Chapter 17 Authentication Objects
Table 58
aaa authentication Commands (continued)
COMMAND
[no] aaa authentication default
member
1 [
member2
] [
member3
]
[
member4
]
DESCRIPTION
Sets the default profile to use the authentication method(s) in the order specified.
member
= group radius, or local.
Note: You must specify at least one member for each profile. Each type of member can only be used once in a profile.
[no] aaa authentication
profilename member
1 [
member2
] [
member3
]
[
member4
]
The no
command clears the specified authentication method(s) for the profile.
Sets the profile to use the authentication method(s) in the order specified.
member
= group radius, or local.
Note: You must specify at least one member for each profile. Each type of member can only be used once in a profile.
The no
command clears the specified authentication method(s) for the profile.
17.2.1 aaa authentication Command Example
The following example creates an authentication profile to authenticate users using the local user database.
Router# configure terminal
Router(config)# aaa authentication LDAPuser group local
Router(config)# show aaa authentication LDAPuser
No. Method
===========================================================================
0 ldap
1 local
Router(config)#
17.3 test aaa Command
The following table lists the test aaa
command you use to teat a user account on an authentication server.
Table 59
test aaa Command
COMMAND
test aaa {server|secure-server}
{ad|ldap} host {
hostname
|
ipv4address
} [host {
hostname
|
ipv4address
}] port <1..65535> base-dn
base-dn-string
[bind-dn
bind-dnstring
password
password
] loginname-attribute
attribute
[alternative-login-nameattribute
attribute
] account
account-name
DESCRIPTION
Tests whether a user account exists on the specified authentication server.
96
NWA/WAC Series CLI Reference Guide
Chapter 17 Authentication Objects
17.3.1 Test a User Account Command Example
The following example shows how to test whether a user account named userABC exists on the AD authentication server which uses the following settings:
• IP address: 172.16.50.1
• Port: 389
• Base-dn: DC=ZyXEL,DC=com
• Bind-dn: zyxel\engineerABC
• Password: abcdefg
• Login-name-attribute: sAMAccountName
The result shows the account exists on the AD server. Otherwise, the NWA/WAC returns an error.
Router> test aaa server ad host 172.16.50.1 port 389 base-dn DC=ZyXEL,DC=com bind-dn zyxel\engineerABC password abcdefg login-name-attribute sAMAccountName account userABC dn:: Q049MTIzNzco546L5aOr56uRKSxPVT1XaXRoTWFpbCxEQz1aeVhFTCxEQz1jb20= objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn:: MTIzNzco546L5aOr56uRKQ== sn: User l: 2341100
--------------------------SNIP!--------------------------------------------
NWA/WAC Series CLI Reference Guide
97
C
H A P T E R
1 8
File Manager
This chapter covers how to work with the NWA/WAC’s firmware, certificates, configuration files, packet trace results, shell scripts and temporary files.
18.1 File Directories
The NWA/WAC stores files in the following directories.
Table 60
FTP File Transfer Notes
DIRECTORY
A cert conf packet_trace script tmp
FILE TYPE
Firmware (upload only)
Non-PKCS#12 certificates
Configuration files
Packet trace results (download only)
Shell scripts
Temporary system maintenance files and crash dumps for technical support use (download only)
A. After you log in through FTP, you do not need to change directories in order to upload the firmware.
FILE NAME
EXTENSION
bin cer conf
.zysh
18.2 Configuration Files and Shell Scripts Overview
You can store multiple configuration files and shell script files on the NWA/WAC.
When you apply a configuration file, the NWA/WAC uses the factory default settings for any features that the configuration file does not include. Shell scripts are files of commands that you can store on the NWA/WAC and run when you need them. When you run a shell script, the NWA/
WAC only applies the commands that it contains. Other settings do not change.
You can edit configuration files or shell scripts in a text editor and upload them to the NWA/WAC.
Configuration files use a .conf extension and shell scripts use a .zysh extension.
98
NWA/WAC Series CLI Reference Guide
Chapter 18 File Manager
These files have the same syntax, which is also identical to the way you run CLI commands manually. An example is shown below.
Figure 10
Configuration File / Shell Script: Example
## enter configuration mode configure terminal
# change administrator password username admin password 4321 user-type admin
#configure default radio profile, change 2GHz channel to 11 & Tx output power # to 50% wlan-radio-profile default
2g-channel 11 output-power 50% exit write
While configuration files and shell scripts have the same syntax, the NWA/WAC applies configuration files differently than it runs shell scripts. This is explained below.
Table 61
Configuration Files and Shell Scripts in the NWA/WAC
Configuration Files (.conf) Shell Scripts (.zysh)
• Resets to default configuration.
• Goes into CLI
Configuration
mode.
• Runs the commands in the configuration file.
• Goes into CLI
Privilege
mode.
• Runs the commands in the shell script.
You have to run the example in
as a shell script because the first command is run in
Privilege
mode. If you remove the first command, you have to run the example as a configuration file because the rest of the commands are executed in
Configuration
mode. (See
Section 1.5 on page 17 for more information about CLI modes.)
18.2.1 Comments in Configuration Files or Shell Scripts
In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the NWA/WAC treat the line as a comment.
Your configuration files or shell scripts can use “exit” or a command line consisting of a single “!” to have the NWA/WAC exit sub command mode.
Note: “exit” or “!'” must follow sub commands if it is to make the NWA/WAC exit sub command mode.
In the following example lines 1 and 2 are comments. Line 5 exits sub command mode.
! this is from Joe
# on 2010/12/05 wlan-ssid-profile default ssid Joe-AP qos wmm security default
!
18.2.2 Errors in Configuration Files or Shell Scripts
When you apply a configuration file or run a shell script, the NWA/WAC processes the file line-byline. The NWA/WAC checks the first line and applies the line if no errors are detected. Then it
NWA/WAC Series CLI Reference Guide
99
Chapter 18 File Manager continues with the next line. If the NWA/WAC finds an error, it stops applying the configuration file or shell script and generates a log.
You can change the way a configuration file or shell script is applied. Include setenv stop-onerror off in the configuration file or shell script. The NWA/WAC ignores any errors in the configuration file or shell script and applies all of the valid commands. The NWA/WAC still generates a log for any errors.
18.2.3 NWA/WAC Configuration File Details
You can store multiple configuration files on the NWA/WAC. You can also have the NWA/WAC use a different configuration file without the NWA/WAC restarting.
• When you first receive the NWA/WAC, it uses the
system-default.conf
configuration file of default settings.
• When you change the configuration, the NWA/WAC creates a
startup-config.conf
file of the current configuration.
• The NWA/WAC checks the
startup-config.conf
file for errors when it restarts. If there is an error in the
startup-config.conf
file, the NWA/WAC copies the
startup-config.conf
configuration file to the
startup-config-bad.conf
configuration file and tries the existing
lastgood.conf
configuration file.
• When the NWA/WAC reboots, if the
startup-config.conf
file passes the error check, the NWA/
WAC keeps a copy of the
startup-config.conf
file as the
lastgood.conf
configuration file for you as a back up file. If you upload and apply a configuration file with an error, you can apply
lastgood.conf
to return to a valid configuration.
18.2.4 Configuration File Flow at Restart
If there is not a
startup-config.conf
when you restart the NWA/WAC (whether through a management interface or by physically turning the power off and back on), the NWA/WAC uses the
system-default.conf
configuration file with the NWA/WAC’s default settings.
If there is a
startup-config.conf
, the NWA/WAC checks it for errors and applies it. If there are no errors, the NWA/WAC uses it and copies it to the
lastgood.conf
configuration file. If there is an error, the NWA/WAC generates a log and copies the
startup-config.conf
configuration file to the
startup-config-bad.conf
configuration file and tries the existing
lastgood.conf
configuration file.
If there isn’t a
lastgood.conf
configuration file or it also has an error, the NWA/WAC applies the
system-default.conf
configuration file.
You can change the way the
startup-config.conf
file is applied. Include the setenv-startup stop-on-error off
command. The NWA/WAC ignores any errors in the
startup-config.conf
file and applies all of the valid commands. The NWA/WAC still generates a log for any errors.
100
NWA/WAC Series CLI Reference Guide
Chapter 18 File Manager
18.3 File Manager Commands Input Values
The following table explains the values you can input with the file manager commands.
Table 62
File Manager Command Input Values
LABEL
file_name
DESCRIPTION
The name of a file. Use up to 25 characters (including a-zA-Z0-
9;‘~!@#$%^&()_+[]{}’,.=-).
18.4 File Manager Commands Summary
The following table lists the commands that you can use for file management.
Table 63
File Manager Commands Summary
COMMAND
apply /conf/
file_name.conf
[ignore-error]
[rollback] copy {/cert | /conf | /idp | /packet_trace | / script | /tmp}
file_name-a.conf
{/cert | /conf | / idp | /packet_trace | /script | /tmp}/
file_nameb.conf
copy running-config startup-config copy running-config /conf/
file_name.conf
DESCRIPTION
Has the NWA/WAC use a specific configuration file. You must still use the write command to save your configuration changes to the flash (“non-volatile” or “long term”) memory.
Use this command without specify both ignore-error
and rollback
: this is not recommended because it would leave the rest of the configuration blank. If the interfaces were not configured before the first error, the console port may be the only way to access the device.
Use ignore-error
without rollback
: this applies the valid parts of the configuration file and generates error logs for all of the configuration file’s errors. This lets the NWA/WAC apply most of your configuration and you can refer to the logs for what to fix.
Use both ignore-error
and rollback
: this applies the valid parts of the configuration file, generates error logs for all of the configuration file’s errors, and starts the NWA/WAC with a fully valid configuration file.
Use rollback
without ignore-error
: this gets the NWA/WAC started with a fully valid configuration file as quickly as possible.
You can use the “ apply /conf/system-default.conf
” command to reset the NWA/WAC to go back to its system defaults.
Saves a duplicate of a file on the NWA/WAC from the source file name to the target file name.
Specify the directory and file name of the file that you want to copy and the directory and file name to use for the duplicate.
Always copy the file into the same directory.
Saves your configuration changes to the flash (“non-volatile” or “long term”) memory. The NWA/WAC immediately uses configuration changes made via commands, but if you do not use this command or the write command, the changes will be lost when the NWA/WAC restarts.
Saves a duplicate of the configuration file that the NWA/WAC is currently using. You specify the file name to which to copy.
NWA/WAC Series CLI Reference Guide
101
Chapter 18 File Manager
Table 63
File Manager Commands Summary (continued)
COMMAND
delete {/cert | /conf | /idp | /packet_trace | / script | /tmp}/
file_name
dir {/cert | /conf | /idp | /packet_trace | / script | /tmp}
DESCRIPTION
Removes a file. Specify the directory and file name of the file that you want to delete.
Displays the list of files saved in the specified directory.
rename {/cert | /conf | /idp | /packet_trace | / script | /tmp}/
old-file_name
{/cert | /conf | / idp | /packet_trace | /script | /tmp}/
newfile_name
rename /script/
old-file_name
/script/
newfile_name
Changes the name of a file.
Specify the directory and file name of the file that you want to rename. Then specify the directory again followed by the new file name.
Changes the name of a shell script. run /script/
file_name.zysh
show running-config setenv-startup stop-on-error off show setenv-startup write
Has the NWA/WAC execute a specific shell script file. You must still use the write
command to save your configuration changes to the flash (“non-volatile” or “long term”) memory.
Displays the settings of the configuration file that the system is using.
Has the NWA/WAC ignore any errors in the startup-config.conf file and apply all of the valid commands.
Displays whether or not the NWA/WAC is set to ignore any errors in the startup-config.conf file and apply all of the valid commands.
Saves your configuration changes to the flash (“non-volatile” or “long term”) memory. The NWA/WAC immediately uses configuration changes made via commands, but if you do not use the write
command, the changes will be lost when the
NWA/WAC restarts.
18.5 File Manager Command Example
This example saves a back up of the current configuration before applying a shell script file.
Router(config)# copy running-config /conf/backup.conf
Router(config)# run /script/mac_acl_setup.zysh
18.6 FTP File Transfer
You can use FTP to transfer files to and from the NWA/WAC for advanced maintenance and support.
18.6.1 Command Line FTP File Upload
1
Connect to the NWA/WAC.
2
Enter “bin” to set the transfer mode to binary.
3
You can upload the firmware after you log in through FTP. To upload other files, use “cd” to change to the corresponding directory.
102
NWA/WAC Series CLI Reference Guide
Chapter 18 File Manager
4
Use “put” to transfer files from the computer to the NWA/WAC.
1
For example:
In the conf directory, use "put config.conf today.conf” to upload the configuration file (config.conf) to the NWA/WAC and rename it “today.conf”.
"put 1.00(XL.0).bin” transfers the firmware (1.00(XL.0).bin) to the NWA/WAC.
The firmware update can take up to five minutes. Do not turn off or reset the NWA/WAC while the firmware update is in progress! If you lose
power during the firmware upload, you may need to refer to Section 18.8 on page 105 to recover the firmware.
18.6.2 Command Line FTP Configuration File Upload Example
The following example transfers a configuration file named tomorrow.conf from the computer and saves it on the NWA/WAC as next.conf.
Note: Uploading a custom signature file named "custom.rules”, overwrites all custom signatures on the NWA/WAC.
Figure 11
FTP Configuration File Upload Example
C:\>ftp 192.168.1.2
Connected to 192.168.1.2.
220 FTP Server [192.168.1.2]
User (192.168.1.2:(none)): admin
331 Password required for admin.
Password:
230 User admin logged in.
ftp>
cd conf
250 CWD command successful ftp>
bin
200 Type set to I ftp>
put tomorrow.conf next.conf
200 PORT command successful
150 Opening BINARY mode data connection for next.conf
226-Post action ok!!
226 Transfer complete.
ftp: 20231 bytes sent in 0.00Seconds 20231000.00Kbytes/sec.
18.6.3 Command Line FTP File Download
1
Connect to the NWA/WAC.
2
Enter “bin” to set the transfer mode to binary.
3
Use “cd” to change to the directory that contains the files you want to download.
4
Use “dir” or “ls” if you need to display a list of the files in the directory.
5
Use "get” to download files. For example:
“get vlan_setup.zysh vlan.zysh” transfers the vlan_setup.zysh configuration file on the NWA/WAC to your computer and renames it “vlan.zysh.”
1.
When you upload a custom signature, the NWA/WAC appends it to the existing custom signatures stored in the "custom.rules” file.
NWA/WAC Series CLI Reference Guide
103
Chapter 18 File Manager
18.6.4 Command Line FTP Configuration File Download Example
The following example gets a configuration file named today.conf from the NWA/WAC and saves it on the computer as current.conf.
Figure 12
FTP Configuration File Download Example
C:\>ftp 192.168.1.1
Connected to 192.168.1.1.
220 FTP Server [192.168.1.1]
User (192.168.1.1:(none)): admin
331 Password required for admin.
Password:
230 User admin logged in.
ftp>
bin
200 Type set to I ftp>
cd conf
250 CWD command successful ftp>
get today.conf current.conf
200 PORT command successful
150 Opening BINARY mode data connection for conf/today.conf (20220 bytes)
226 Transfer complete.
ftp: 20220 bytes received in 0.03Seconds 652.26Kbytes/sec.
18.7 NWA/WAC File Usage at Startup
The NWA/WAC uses the following files at system startup.
Figure 13
NWA/WAC File Usage at Startup
1. Boot Module
2. Recovery Image
3. Firmware
1
The boot module performs a basic hardware test. You cannot restore the boot module if it is damaged. The boot module also checks and loads the recovery image. The NWA/WAC notifies you if the recovery image is damaged.
2
The recovery image checks and loads the firmware. The NWA/WAC notifies you if the firmware is damaged.
104
NWA/WAC Series CLI Reference Guide
Chapter 18 File Manager
18.8 Notification of a Damaged Recovery Image or
Firmware
The NWA/WAC’s recovery image and/or firmware could be damaged, for example by the power going off during a firmware upgrade. This section describes how the NWA/WAC notifies you of a damaged recovery image or firmware file. Use this section if your device has stopped responding for an extended period of time and you cannot access or ping it. Note that the NWA/WAC does not respond while starting up. It takes less than five minutes to start up with the default configuration, but the start up time increases with the complexity of your configuration.
1
Use a console cable and connect to the NWA/WAC via a terminal emulation program (such as
HyperTerminal). Your console session displays the NWA/WAC’s startup messages. If you cannot see
any messages, check the terminal emulation program’s settings (see Section 1.2.1 on page 14 ) and
restart the NWA/WAC.
2
The system startup messages display followed by “Press any key to enter debug mode within 3 seconds.”
Note: Do not press any keys at this point. Wait to see what displays next.
Figure 14
System Startup Stopped
3
If the console session displays “Invalid Firmware”, or “Invalid Recovery Image”, or the console freezes at "Press any key to enter debug mode within 3 seconds" for more than one minute, go to
Section 18.9 on page 106 to restore the recovery image.
Figure 15
Recovery Image Damaged
NWA/WAC Series CLI Reference Guide
105
Chapter 18 File Manager
4
If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the
screen, the firmware file is damaged. Use the procedure in Section 18.10 on page 108
to restore it.
If the message does not display, the firmware is OK and you do not need to use the firmware recovery procedure.
Figure 16
Firmware Damaged
18.9 Restoring the Recovery Image
This procedure requires the NWA/WAC’s recovery image. Download the firmware package from www.zyxel.com and unzip it. The recovery image uses a .ri extension, for example,
"1.01(XL.0)C0.ri". Do the following after you have obtained the recovery image file.
Note: You only need to use this section if you need to restore the recovery image.
1
Restart the NWA/WAC.
2
When “Press any key to enter debug mode within 3 seconds.” displays, press a key to enter debug mode.
Figure 17
Enter Debug Mode
3
Enter atuk
to initialize the recovery process.If the screen displays “ERROR”, enter
atur
to initialize the recovery process.
106
NWA/WAC Series CLI Reference Guide
Chapter 18 File Manager
Note: You only need to use the
atuk
or
atur
command if the recovery image is damaged.
Figure 18
atuk Command for Restoring the Recovery Image
4
Enter
Y
and wait for the “Starting XMODEM upload” message before activating XMODEM upload on your terminal.
Figure 19
Starting Xmodem Upload
5
This is an example Xmodem configuration upload using HyperTerminal. Click
Transfer
, then
Send
File
to display the following screen.
Figure 20
Example Xmodem Upload
Type the firmware file's location, or click
Browse
to search for it.
Choose the
1K Xmodem
protocol.
Then click
Send
.
6
Wait for about three and a half minutes for the Xmodem upload to finish.
Figure 21
Recovery Image Upload Complete
NWA/WAC Series CLI Reference Guide
107
Chapter 18 File Manager
7
Enter atgo
. The NWA/WAC starts up. If “Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file” displays on the screen, the firmware file is damaged and you need to use the procedure in
to recover the firmware.
Figure 22
atgo Debug Command
18.10 Restoring the Firmware
This procedure requires the NWA/WAC’s firmware. Download the firmware package from www.zyxel.com and unzip it. The firmware file uses a .bin extension, for example,
"1.01(XL.0)C0.bin". Do the following after you have obtained the firmware file.
Note: This section is not for normal firmware uploads. You only need to use this section if you need to recover the firmware.
1
Connect your computer to the NWA/WAC’s port
1
(only port
1
can be used).
2
The NWA/WAC’s FTP server IP address for firmware recovery is 192.168.1.1, so set your computer to use a static IP address from 192.168.1.2 ~192.168.1.254.
3
Use an FTP client on your computer to connect to the NWA/WAC. For example, in the Windows command prompt, type ftp 192.168.1.1
. Keep the console session connected in order to see when the firmware recovery finishes.
4
Hit enter to log in anonymously.
5
Set the transfer mode to binary (type bin)
.
6
Transfer the firmware file from your computer to the NWA/WAC. Type put
followed by the path and name of the firmware file. This examples uses put e:\ftproot\ZLD FW \1.01(XL.0)C0.bin
.
Figure 23
FTP Firmware Transfer Command
108
NWA/WAC Series CLI Reference Guide
Chapter 18 File Manager
7
Wait for the file transfer to complete.
Figure 24
FTP Firmware Transfer Complete
8
After the transfer is complete, “Firmware received” or “ZLD-current received” displays. Wait (up to four minutes) while the NWA/WAC recovers the firmware.
Figure 25
Firmware Received and Recovery Started
9
The console session displays “done” when the firmware recovery is complete. Then the NWA/WAC automatically restarts.
Figure 26
Firmware Recovery Complete and Restart
NWA/WAC Series CLI Reference Guide
109
Chapter 18 File Manager
10
The username prompt displays after the NWA/WAC starts up successfully. The firmware recovery process is now complete and the NWA/WAC is ready to use.
Figure 27
Restart Complete
110
NWA/WAC Series CLI Reference Guide
C
H A P T E R
1 9
Logs
This chapter provides information about the NWA/WAC’s logs.
Note: When the system log reaches the maximum number of log messages, new log messages automatically overwrite existing log messages, starting with the oldest existing log message first.
See the User’s Guide for the maximum number of system log messages in the NWA/WAC.
19.1 Log Commands Summary
The following table describes the values required for many log commands. Other values are discussed with the corresponding commands.
Table 64
Input Values for Log Commands
LABEL
module_name ap_mac pri ipv4 service keyword log_proto_accept config_interface
DESCRIPTION
The name of the category; kernel
, syslog debugging messages generated by open source software. The includes all messages in all categories.
, .... The default
category includes all
category
The Ethernet MAC address for the specified Access Point.
The log priority. Enter one of the following values: alert, crit, debug, emerg, error, info, notice, or warn.
The standard version 4 IP address (such as 192.168.1.1).
The service object name.
The keyword search string. You may use up to 63 alphanumeric characters.
The log protocol. Enter one of the following values: icmp, tcp, udp, or others.
The interface name. Enter up to 15 alphanumeric characters, including hyphens and underscores.
The following sections list the logging commands.
111
NWA/WAC Series CLI Reference Guide
Chapter 19 Logs
19.1.1 Log Entries Commands
This table lists the commands to look at log entries.
Table 65
logging Commands: Log Entries
COMMAND
show logging entries [priority
pri
] [category
module_name
] [srcip
ip
] [dstip
ip
] [service
service_name]
[begin <1..1024> end <1..1024>]
[keyword
keyword
] show logging entries field
field
[begin <1..1024> end <1..1024>]
DESCRIPTION
Displays the selected entries in the system log.
PRI: alert | crit | debug | emerg | error | info | notice | warn
keyword
: You can use alphanumeric and
()+/
:=?!*#@$_%-
characters, and it can be up to 63 characters long.This searches the message, source, destination, and notes fields.
Displays the selected fields in the system log.
field
: time | msg | src | dst | note | pri | cat | all
19.1.2 System Log Commands
This table lists the commands for the system log settings.
Table 66
logging Commands: System Log Settings
COMMAND
show logging status system-log logging system-log category
module_name
{disable | level normal | level all}
[no] logging system-log suppression interval
<10..600>
[no] logging system-log suppression
[no] connectivity-check continuous-log activate show connectivity-check continuous-log status clear logging system-log buffer
DESCRIPTION
Displays the current settings for the system log.
Specifies what kind of information, if any, is logged in the system log and debugging log for the specified category.
Sets the log consolidation interval for the system log. The no
command sets the interval to ten.
Enables log consolidation in the system log. The no command disables log consolidation in the system log.
Has the NWA/WAC generate a log for each connectivity check. The no
command has the NWA/WAC only log the first connectivity check.
Displays whether or not the NWA/WAC generates a log for each connectivity check.
Clears the system log.
112
NWA/WAC Series CLI Reference Guide
Chapter 19 Logs
19.1.2.1 System Log Command Examples
The following command displays the current status of the system log.
Router# configure terminal
Router(config)# show logging status system-log
18 events logged suppression active : yes suppression interval: 10 category settings :
user : normal , zysh : normal ,
built-in-service : normal , system : normal ,
system-monitoring : no , connectivity-check: normal ,
device-ha : normal , pki : normal ,
interface : normal , interface-statistics: no ,
traffic-log : no , file-manage : normal ,
wlan : normal , daily-report : normal ,
dhcp : normal , default : all ,
capwap : normal , wlan-monitor : normal ,
wlan-rogueap : normal , wlan-frame-capture: normal ,
wlan-dcs : normal , wlan-load-balancing: normal ,
19.1.3 Debug Log Commands
This table lists the commands for the debug log settings.
Table 67
logging Commands: Debug Log Settings
COMMAND
show logging debug status show logging debug entries [priority
pri]
[category
module_name
] [srcip
ip
] [dstip
ip
] [service
service_name
] [begin <1..1024> end <1..1024>]
[keyword
keyword
] show logging debug entries field
field
[begin
<1..1024> end <1..1024>]
[no] logging debug suppression
[no] logging debug suppression interval <10..600> clear logging debug buffer
DESCRIPTION
Displays the current settings for the debug log.
Displays the selected entries in the debug log.
pri
: alert | crit | debug | emerg | error | info | notice | warn
keyword
: You can use alphanumeric and
()+/
:=?!*#@$_%-
characters, and it can be up to 63 characters long.This searches the message, source, destination, and notes fields.
Displays the selected fields in the debug log.
field
: time | msg | src | dst | note | pri | cat | all
Enables log consolidation in the debug log. The no command disables log consolidation in the debug log.
Sets the log consolidation interval for the debug log. The no
command sets the interval to ten.
Clears the debug log.
NWA/WAC Series CLI Reference Guide
113
Chapter 19 Logs
19.1.4 Remote Syslog Server Log Commands
This table lists the commands for the remote syslog server settings.
Table 68
logging Commands: Remote Syslog Server Settings
COMMAND
show logging status syslog
[no] logging syslog <1..4>
[no] logging syslog <1..4> address {
ip
|
hostname
}
DESCRIPTION
Displays the current settings for the remote servers.
Enables the specified remote server. The disables the specified remote server.
no
command
Sets the URL or IP address of the specified remote server.
The no
command clears this field.
[no] logging syslog <1..4> {disable | level normal | level all}
[no] logging syslog <1..4> facility {local_1 | local_2 | local_3 | local_4 | local_5 | local_6 | local_7}
hostname
: You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
Specifies what kind of information, if any, is logged for the specified category.
Sets the log facility for the specified remote server. The command sets the facility to local_1.
no
[no] logging syslog <1..4> format {cef | vrpt}
Sets the format of the log information. cef
: Common Event Format, syslog-compatible format.
vrpt
: ZyXEL’s Vantage Report, syslog-compatible format.
19.1.5 E-mail Profile Log Commands
This table lists the commands for the e-mail profile settings.
Table 69
logging Commands: E-mail Profile Settings
COMMAND
show logging status mail
[no] logging mail <1..2>
[no] logging mail <1..2> address {
ip
|
hostname
} logging mail <1..2> sending_now
[no] logging mail <1..2> authentication
DESCRIPTION
Displays the current settings for the e-mail profiles.
Enables the specified e-mail profile. The disables the specified e-mail profile.
no
command
Sets the URL or IP address of the mail server for the specified e-mail profile. The server field.
no
command clears the mail
hostname
: You may up to 63 alphanumeric characters, dashes (-), or periods (.), but the first character cannot be a period.
Sends mail for the specified e-mail profile immediately, according to the current settings.
Enables SMTP authentication. The no
command disables
SMTP authentication.
114
NWA/WAC Series CLI Reference Guide
Chapter 19 Logs
Table 69
logging Commands: E-mail Profile Settings (continued)
COMMAND
[no] logging mail <1..2> authentication username
username
password
password
DESCRIPTION
Sets the username and password required by the SMTP mail server. The password fields.
no
command clears the username and
[no] logging mail <1..2> {send-log-to | send-alertsto}
e_mail
[no] logging mail <1..2> subject
subject
[no] logging mail <1..2> subject-appending {datetime | system-name}
[no] logging mail <1..2> category
module_name
level
{alert | all}
[no] logging mail <1..2> schedule {full | hourly} logging mail <1..2> schedule daily hour <0..23> minute <0..59>
username
: You can use alphanumeric characters, underscores (_), and dashes (-), and it can be up to 31 characters long.
password
: You can use most printable ASCII characters.
You cannot use square brackets [ ], double quotation marks
(“), question marks (?), tabs or spaces. It can be up to 31 characters long.
Sets the e-mail address for logs or alerts. The clears the specified field.
no
command
e_mail
: You can use up to 63 alphanumeric characters, underscores (_), or dashes (-), and you must use the @ character.
Sets the subject line when the NWA/WAC mails to the specified e-mail profile. The no
command clears this field.
subject
: You can use up to 60 alphanumeric characters, underscores (_), dashes (-), or
!@#$%*()+=;:’,./ characters.
Sets the NWA/WAC to add the system date and time or the system name to the subject when the NWA/WAC mails to the specified e-mail profile. The name to the subject.
no
command sets the
NWA/WAC to not add the system date/time or system
Specifies what kind of information is logged for the specified category. The no
command disables logging for the specified category.
Sets the e-mail schedule for the specified e-mail profile.
The no
command clears the schedule field.
Sets a daily e-mail schedule for the specified e-mail profile.
logging mail <1..2> schedule weekly day
day
hour
<0..23> minute <0..59>
Sets a weekly e-mail schedule for the specified e-mail profile.
day
: sun | mon | tue | wed | thu | fri | sat
19.1.5.1 E-mail Profile Command Examples
The following commands set up e-mail log 1.
Router# configure terminal
Router(config)# logging mail 1 address mail.zyxel.com.tw
Router(config)# logging mail 1 subject AAA
Router(config)# logging mail 1 authentication username lachang.li password XXXXXX
Router(config)# logging mail 1 send-log-to [email protected]
Router(config)# logging mail 1 send-alerts-to [email protected]
Router(config)# logging mail 1 from [email protected]
Router(config)# logging mail 1 schedule weekly day mon hour 3 minute 3
Router(config)# logging mail 1
NWA/WAC Series CLI Reference Guide
115
Chapter 19 Logs
19.1.6 Console Port Log Commands
This table lists the commands for the console port settings.
Table 70
logging Commands: Console Port Settings
COMMAND
show logging status console
[no] logging console logging console category
module_name
level {alert | crit | debug | emerg | error | info | notice | warn}
[no] logging console category
module_name
DESCRIPTION
Displays the current settings for the console log. (This log is not discussed above.)
Enables the console log. The console log.
no
command disables the
Controls whether or not debugging information for the specified priority is displayed in the console log, if logging for this category is enabled.
Enables logging for the specified category in the console log. The no
command disables logging.
19.1.7 Access Point Logging Commands
This table lists the commands for the Access Point settings.
Note: For the purposes of this device’s CLI, Access Points are referred to as WTPs.
Table 71
logging Commands: Access Point Settings
COMMAND
show wtp-logging status system-log [
ap_mac
] show wtp-logging entries [priority
pri
] [category
module_name
] [srcip
ipv4
] [dstip
ipv4
] [service
service
] [srciface
config_interface
] [dstiface
config_interface
] [protocol
log_proto_accept
][begin
<1..512> end <1..512>] [keyword
keyword
] [
ap_mac
]
DESCRIPTION
Displays the system log for the specified AP.
Displays only the specified log entries for the specified AP.
show wtp-logging entries field
{srcif|dstif|proto|time|msg|src|dst|note|pri|cat|al l} [begin <1..512> end <1..512>] [
ap_mac
]
Displays only log entries for specified fields for the specified
AP. You can display a range of field entries from 1-512.
show wtp-logging debug status
ap_mac
show wtp-logging debug entries [priority
pri
]
[category
module_name
] [srcip
ipv4
] [dstip
ipv4
]
[service
service
] [srciface
config_interface
]
[dstiface
config_interface
] [protocol
log_proto_accept
] [begin <1..512> end <1..512>]
[keyword
keyword
] [
ap_mac
]
Displays the debug status of the specified AP.
Display only the specified debug log entries for the specified AP.
show wtp-logging % debug entries field { srcif|dstif|proto
|time|msg|src|dst|note|pri|cat|all} [begin <1..1024> end <1..1024>] [
ap_mac
]
Displays only the log entries for the specified fields for the specified AP. You can display a range of field entries from 1-
1024.
show wtp-logging status syslog [
ap_mac
] show wtp-logging status mail [
ap_mac
] show wtp-logging query-log
ap_mac
show wtp-logging query-dbg-log
ap_mac
show wtp-logging result-status show wtp-logging dbg-result-status show wtp-logging category
Displays the logging status for the specified AP’s syslog.
Displays the logging status for the specified AP’s mail log.
Displays the specified AP’s query log.
Displays the specified AP’s query debug log.
Displays the AP logging result status.
Displays the AP logging debug result status.
Displays the AP logging categories.
116
NWA/WAC Series CLI Reference Guide
Chapter 19 Logs
Table 71
logging Commands: Access Point Settings (continued)
COMMAND
wtp-logging mail sending_now MAC clear wtp-logging log-buffer MAC
[no] wtp-logging syslog
syslog_range
category
module_name
disable
DESCRIPTION
Sends the specified AP’s mail log.
Clears the specified AP’s MAC address from the buffer.
Disables the logging of the specified syslog category.
[no] wtp-logging syslog
syslog_range
category
module_name
level {normal | all}
[no] wtp-logging mail
mail_range
category
module_name
level {alert | all}
Enables logging of the specified syslog category and specifies the logging level.
Enables mail logging on APs for the specified category.
[no] wtp-logging system-log category
module_name
level {normal | all }
[no] wtp-logging system-log category
module_name
disable
[no] wtp-logging debug suppression
[no] wtp-logging debug suppression interval
<10..600>
[no] wtp-logging console
[no] wtp-logging console category
module_name
level
pri
Enables system logging on the APs for the specified category.
Disables system logging on the APs for the specified category.
Enables debug logging suppression. Use the no parameter to disable.
Enables debug logging suppression during the specified interval. Use the no parameter to disable.
Enables logging of console activity. Use the no parameter to disable.
Enables logging of the specified category at the specified priority level.
NWA/WAC Series CLI Reference Guide
117
C
H A P T E R
2 0
Reports and Reboot
This chapter provides information about the report associated commands and how to restart the
NWA/WAC using commands. It also covers the daily report e-mail feature.
20.1 Report Commands Summary
The following sections list the report and session commands.
20.1.1 Report Commands
This table lists the commands for reports.
Table 72
report Commands
COMMAND
[no] report show report status clear report [
interface_name
] show report [
interface_name
{ip | service | url}]
DESCRIPTION
Begins data collection. The collection.
no
command stops data
Displays whether or not the NWA/WAC is collecting data and how long it has collected data.
Clears the report for the specified interface or for all interfaces.
Displays the traffic report for the specified interface and controls the format of the report. Formats are: ip
- traffic by IP address and direction service
- traffic by service and direction url
- hits by URL
118
NWA/WAC Series CLI Reference Guide
Chapter 20 Reports and Reboot
20.1.2 Report Command Examples
The following commands start collecting data, display the traffic reports, and stop collecting data.
Router# configure terminal
Router(config)# show report lan ip
No. IP Address User Amount Direction
===================================================================
1 192.168.1.4 admin 1273(bytes) Outgoing
2 192.168.1.4 admin 711(bytes) Incoming
Router(config)# show report lan service
No. Port Service Amount Direction
====================================================================
1 21 ftp 1273(bytes) Outgoing
2 21 ftp 711(bytes) Incoming
Router(config)# show report lan url
No. Hit URL
=====================================================================
1 1 140.114.79.60
Router(config)# show report status
Report status: on
Collection period: 0 days 0 hours 0 minutes 18 seconds
20.2 Email Daily Report Commands
The following table identifies the values used in some of these commands. Other input values are discussed with the corresponding commands.
Table 73
Input Values for Email Daily Report Commands
LABEL
e_mail
DESCRIPTION
An e-mail address. You can use up to 80 alphanumeric characters, underscores (_), periods (.), or dashes (-), and you must use the @ character.
Use these commands to have the NWA/WAC e-mail you system statistics every day. You must use the configure terminal
command to enter the configuration mode before you can use these commands.
Table 74
Email Daily Report Commands
COMMAND DESCRIPTION
show daily-report status daily-report
[no] activate smtp-address {
ip
|
hostname
[no] smtp-auth activate
}
Displays the e-mail daily report settings.
Enter the daily report sub-command mode.
Turns daily e-mail reports on or off.
Sets the SMTP mail server IP address or domain name.
Enables or disables SMTP authentication.
smtp-auth username
username
password
password
Sets the username and password for SMTP authentication.
no smtp-address no smtp-auth username
Resets the SMTP mail server configuration.
Resets the authentication configuration.
NWA/WAC Series CLI Reference Guide
119
Chapter 20 Reports and Reboot
Table 74
Email Daily Report Commands (continued)
COMMAND
mail-subject set
subject
no mail-subject set
[no] mail-subject append system-name
[no] mail-subject append date-time mail-from
e_mail
mail-to-1
e_mail
mail-to-2
e_mail
mail-to-3
e_mail
mail-to-4
e_mail
mail-to-5
e_mail
[no] item ap-sta
[no] item ap-traffic
[no] item cpu-usage
[no] item mem-usage
[no] item port-usage
[no] item station-count
[no] item wtp-tx
[no] item wtp-rx smtp-port <1..65535> no smtp-port smtp-tls {tls|starttls}
DESCRIPTION
Configures the subject of the report e-mails.
Clears the configured subject for the report emails.
Determines whether the system name will be appended to the subject of report mail.
Determine whether the sending date-time will be appended at subject of the report e-mails.
Sets the sender value of the report e-mails.
Sets to whom the NWA/WAC sends the report emails (up to five recipients).
See above.
See above.
See above.
See above.
This command is supported when the NWA/WAC is in standalone mode. Determines whether or not the AP station statistics will be included in the report e-mails.
This command is supported when the NWA/WAC is in standalone mode. Determines whether or not the AP traffic statistics will be included in the report e-mails.
Determines whether or not CPU usage statistics are included in the report e-mails.
Determines whether or not memory usage statistics are included in the report e-mails.
Determines whether or not port usage statistics are included in the report e-mails.
This command is supported when the NWA/WAC is in controller mode. Determines whether or not the station statistics are included in the report emails.
This command is supported when the NWA/WAC is in controller mode. Determines whether or not the NWA/WAC’s outgoing traffic statistics are included in the report e-mails.
This command is supported when the NWA/WAC is in controller mode. Determines whether or not the NWA/WAC’s incoming traffic statistics are included in the report e-mails.
Sets the SMTP service port.
Resets the SMTP service port configuration.
Sets how you want communications between the
SMTP mail server and the NWA/WAC to be encrypted.
tls
: to use Secure Sockets Layer (SSL) or
Transport Layer Security (TLS). starttls
: to upgrade a plain text connection to a secure connection using SSL/TLS.
120
NWA/WAC Series CLI Reference Guide
Chapter 20 Reports and Reboot
Table 74
Email Daily Report Commands (continued)
COMMAND
[no] smtp-tls activate schedule hour <0..23> minute <00..59>
[no] reset-counter reset-counter-now send-now
DESCRIPTION
Encrypts the communications between the SMTP mail server and the NWA/WAC. The no command disables communication encryption.
Sets the time for sending out the report e-mails.
Determines whether or not to clear the report statistics data after successfully sending out a report e-mail.
Discards all report data and starts all of the counters over at zero.
Sends the daily e-mail report immediately.
let user actively send out the report e-mails.
20.2.1 Email Daily Report Example
This example sets the NWA/WAC to send a daily report e-mail.
Router(config)# daily-report
Router(config-daily-report)# no activate
Router(config-daily-report)# smtp-address example-SMTP-mail-server.com
Router(config-daily-report)# mail-subject set test subject
Router(config-daily-report)# no mail-subject append system-name
Router(config-daily-report)# mail-subject append date-time
Router(config-daily-report)# mail-from [email protected]
Router(config-daily-report)# no mail-to-2
Router(config-daily-report)# no mail-to-3
Router(config-daily-report)# mail-to-4 [email protected]
Router(config-daily-report)# no mail-to-5
Router(config-daily-report)# smtp-auth activate
Router(config-daily-report)# smtp-auth username 12345 password pass12345
Router(config-daily-report)# schedule hour 13 minutes 57
Router(config-daily-report)# no schedule reset-counter
Router(config-daily-report)# item cpu-usage
Router(config-daily-report)# item mem-usage
Router(config-daily-report)# item port-usage
Router(config-daily-report)# activate
Router(config-daily-report)# exit
Router(config)#
NWA/WAC Series CLI Reference Guide
121
Chapter 20 Reports and Reboot
This displays the email daily report settings and has the NWA/WAC send the report now.
Router(config)# show daily-report status email daily report status
========================= activate: no scheduled time: 00:00 reset counter: no smtp address: smtp port: 25 smtp auth: no smtp username: smtp password: mail subject: append system name: no append date time: no mail from: mail-to-1: mail-to-2: mail-to-3: mail-to-4: mail-to-5: cpu-usage: yes mem-usage: yes port-usage: yes ap-sta: no ap-traffic: no
Router(config)#
20.3 Reboot
Use this to restart the device (for example, if the device begins behaving erratically).
If you made changes in the CLI, you have to use the write
command to save the configuration before you reboot. Otherwise, the changes are lost when you reboot.
Use the reboot
command to restart the device.
122
NWA/WAC Series CLI Reference Guide
C
H A P T E R
2 1
Session Timeout
21.1 Session Timeout Commands
Use these commands to modify and display the session timeout values. You must use the configure terminal
command before you can use these commands.
Table 75
Session Timeout Commands
COMMAND
session timeout {udp-connect <1..300> | udp-deliver
<1..300> | icmp <1..300>} session timeout { tcp-close <1..300> | tcp-closewait
<1..300> | tcp-established <1..432000> | tcp-finwait
<1..300> | tcp-lastack <1..300> | tcp-synrecv
<1..300> | tcp-synsent <1..300> | tcp-timewait
<1..300> | udp-connect <1..300> | ucp-deliver
<1..300> | icmp <1..300> }
DESCRIPTION
Sets the timeout for UDP sessions to connect or deliver and for ICMP sessions.
Sets the timeout for TCP sessions in the ESTABLISHED,
SYN_RECV, FIN_WAIT, SYN_SENT, CLOSE_WAIT,
LAST_ACK, or TIME_WAIT state.
show session timeout {icmp | tcp-timewait | udp}
Displays ICMP, TCP, and UDP session timeouts.
21.1.1 Session Timeout Commands Example
The following example sets the UDP session connect timeout to 10 seconds, the UDP deliver session timeout to 15 seconds, and the ICMP timeout to 15 seconds.
Router(config)# session timeout udp-connect 10
Router(config)# session timeout udp-deliver 15
Router(config)# session timeout icmp 15
Router(config)# show session timeout udp
UDP session connect timeout: 10 seconds
UDP session deliver timeout: 15 seconds
Router(config)# show session timeout icmp
ICMP session timeout: 15 seconds
123
NWA/WAC Series CLI Reference Guide
C
H A P T E R
2 2
LEDs
This chapter describes two features that controls the LEDs of your NWA/WAC - Locator and
Suppression.
22.1 LED Suppression Mode
The LED Suppression feature allows you to control how the LEDs of your NWA/WAC behave after it’s ready. The deafult LED suppression setting of your AP is different depending on your NWA/WAC model.
Note: When the NWA/WAC is booting or performing firmware upgrade, the LEDs will lit regardless of the setting in LED suppression.
22.2 LED Suppression Commands
Use these commands to set how you want the LEDs to behave after the device is ready. You must use the configure terminal
command before you can use these commands.
Table 76
LED Suppression Commands
COMMAND
led_suppress enable led_suppress disable show led_suppress status
DESCRIPTION
Sets the LEDs of your NWA/WAC to turn off after it’s ready.
Sets the LEDs to stay lit after the NWA/WAC is ready.
Displays whether LED suppression mode is enabled or disabled on the NWA/WAC.
22.2.1 LED Suppression Commands Example
The following example activates LED suppression mode and displays the settings..
Router(config)# led_suppress enable
Router(config)# show led_suppress status suppress mode status : Enable
124
NWA/WAC Series CLI Reference Guide
Chapter 22 LEDs
22.3 LED Locator
The LED locator feature identifies the location of your WAC among several devices in the network.
You can run this feature and set a timer.
22.4 LED Locator Commands
Use these commands to run the LED locator feature. You must use the configure terminal command before you can use these commands.
Table 77
LED Locator Commands
COMMAND
led_locator on led_locator off led_locator blink-timer <1..60> show led_locator status
DESCRIPTION
Enables the LED locator function. It will show the actual location of the WAC between several devices in the network.
Disables the LED locator function.
Sets a time interval between 1 and 60 minutes to stop the locator LED from blinking.
Displays whether LED locator function is enabled and the timer setting.
22.4.1 LED Locator Commands Example
The following example turns on the LED locator feature and displays the settings.
Router(config)# led_locator on
Router(config)# show led_locator status
Locator LED Status : ON
Locator LED Time : 10
NWA/WAC Series CLI Reference Guide
125
C
H A P T E R
2 3
Antenna Switch
This chapter shows you how to adjust coverage depending on the orientation of the antenna.
23.1 Antenna Switch Overview
On the NWA/WAC that comes with internal antennas and also has an antenna switch, you can adjust coverage depending on the orientation of the antenna for the NWA/WAC radios using the web configurator, the command line interface (CLI) or a physical switch.
Note: With the physical antenna switch, you apply the same antenna orientation settings to both radios. You can set the radios to have different settings while using the web configurator or the command line interface.
Note: The antenna switch is not available in every model. Please check the User’s Guide or datasheet, or refer to the product page at www.zyxel.com to see if your NWA/
WAC has an antenna switch.
23.2 Antenna Switch Commands
The following table describes the commands available for the antenna switch function. You must use the configure terminal
command before you can use these commands.
Table 78
Antenna Switch Commands
COMMAND
antenna config
slot_name
chain3
{ceiling | wall}
[no] antenna sw-control enable
DESCRIPTION
Adjusts coverage depending on each radio’s antenna orientation for better coverage.
Enables the adjustment of coverage depending on the orientation of the antenna for the NWA/WAC radios using the web configurator or the command line interface (CLI).
show antenna status show wlan all
Note: The antenna switch in the web configurator or CLI has priority over the physical antenna switch if you enable software control.
The no
command disables adjustment through the web configurator or the command line interface (CLI). You can still adjust coverage using a physical antenna switch.
Displays whether software control of the antenna switch is enabled and the antenna orientation.
Displays the antenna settings for all radios on the NWA/WAC.
126
NWA/WAC Series CLI Reference Guide
Chapter 23 Antenna Switch
23.2.1 Antenna Switch Commands Example
The following example enables software control of the antenna switch and displays the settings.
Router(config)# antenna sw-control enable
Router(config)# show antenna status
SW-Control: Enable
Radio 1: Ceiling
Radio 2: Ceiling
Router(config)#
NWA/WAC Series CLI Reference Guide
127
C
H A P T E R
2 4
Diagnostics
This chapter covers how to use the diagnostics feature.
24.1 Diagnostics Overview
The diagnostics feature provides an easy way for you to generate a file containing the NWA/WAC’s configuration and diagnostic information. You may need to generate this file and send it to customer support during troubleshooting.
24.2 Diagnosis Commands
The following table lists the commands that you can use to have the NWA/WAC collect diagnostics information. Use the configure terminal
command to enter the configuration mode to be able to use these commands.
Table 79
diagnosis Commands
COMMAND
diag-info collect show diag-info
DESCRIPTION
Has the NWA/WAC create a new diagnostic file.
Displays the name, size, and creation date (in yyyy-mm-dd hh:mm:ss format) of the diagnostic file.
24.2.1 Diagnosis Commands Example
The following example creates a diagnostic file and displays its name, size, and creation date.
Router# configure terminal
Router(config)# diag-info collect
Please wait, collecting information
Router(config)# show diag-info
Filename : diaginfo-20070423.tar.bz2
File size : 1259 KB
Date : 2007-04-23 09:55:09
128
NWA/WAC Series CLI Reference Guide
C
H A P T E R
2 5
Maintenance Tools
Use the maintenance tool commands to check the conditions of other devices through the NWA/
WAC. The maintenance tools can help you to troubleshoot network problems.
Here are maintenance tool commands that you can use in privilege mode.
Table 80
Maintenance Tools Commands in Privilege Mode
COMMAND
packet-trace [interface
interface_name
] [ip-proto
{<0..255> |
protocol_name
| any}] [src-host {
ip
|
hostname
| any}] [dst-host {
ip
|
hostname
| any}]
[port {<1..65535> | any}] [file] [duration
<1..3600>] [extension-filter
filter_extension
] traceroute {
ip
|
hostname
}
DESCRIPTION
Sends traffic through the specified interface with the specified protocol, source address, destination address, and/or port number.
If you specify file
, the NWA/WAC dumps the traffic to
/ packet_trace/packet_trace_interface
. Use
FTP to retrieve the files (see Section 18.6 on page 102
).
If you do not assign the duration, the NWA/WAC keeps dumping traffic until you use Ctrl-C.
Use the extension filter to extend the use of this command.
traceroute {
ip
|
hostname
}
[no] packet-capture activate
protocol_name
: You can use the name, instead of the number, for some IP protocols, such as character cannot be a number.
tcp
, udp
, icmp and so on. The names consist of 1-16 alphanumeric characters, underscores (_), or dashes (-). The first
,
hostname
: You can use up to 252 alphanumeric characters, dashes (-), or periods (.). The first character cannot be a period.
filter_extension
: You can use 1-256 alphanumeric characters, spaces, or '()+,/:=?;!*#@$_%.- characters.
Displays the route taken by packets to the specified destination. Use prompt.
Ctrl+c
when you want to return to the
Performs a packet capture that captures network traffic going through the set NWA/WAC’s interface(s). Studying these packet captures may help you identify network problems.
The no
command stops the running packet capture on the
NWA/WAC.
packet-capture configure duration <0..300>
Note: Use the packet-capture configure
command to configure the packet-capture settings before using this command.
Enters the sub-command mode.
Sets a time limit in seconds for the capture. The NWA/WAC stops the capture and generates the capture file when either this period of time has passed or the file reaches the size specified using the files-size
command below. 0 means there is no time limit.
NWA/WAC Series CLI Reference Guide
129
Chapter 25 Maintenance Tools
Table 80
Maintenance Tools Commands in Privilege Mode (continued)
COMMAND
file-suffix <
profile_name
>
DESCRIPTION
Specifies text to add to the end of the file name (before the dot and filename extension) to help you identify the packet capture files. Modifying the file suffix also avoids making new capture files that overwrite existing files of the same name. files-size <1..10000>
The file name format is “interface name-file suffix.cap”, for example “vlan2-packet-capture.cap”.
Specify a maximum size limit in kilobytes for the total combined size of all the capture files on the NWA/WAC, including any existing capture files and any new capture files you generate.
The NWA/WAC stops the capture and generates the capture file when either the file reaches this size or the time period specified (using the duration
command above) expires.
host-ip {
ip-address
|
profile_name
| any> host-port <0..65535> iface {add | del} {
interface_name
|
virtual_interface_name
} ip-type {icmp | igmp | igrp | pim | ah | esp | vrrp | udp | tcp | any} snaplen <68..1512> show packet-capture status show packet-capture config
Note: If you have existing capture files you may need to set this size larger or delete existing capture files.
Sets a host IP address or a host IP address object for which to capture packets. any
means to capture packets for all hosts.
If you set the IP Type to any
, tcp
, or udp
using the ip-type command below, you can specify the port number of traffic to capture.
Adds or deletes an interface or a virtual interface for which to capture packets to the capture interfaces list.
Sets the protocol of traffic for which to capture packets. any
means to capture packets for all types of traffic.
Specifies the maximum number of bytes to capture per packet. The NWA/WAC automatically truncates packets that exceed this size. As a result, when you view the packet capture files in a packet analyzer, the actual size of the packets may be larger than the size of captured packets.
Displays whether a packet capture is ongoing.
Displays current packet capture settings.
25.0.1 Command Examples
Some packet-trace command examples are shown below.
Router# packet-trace duration 3 tcpdump: listening on eth0
19:24:43.239798 192.168.1.10 > 192.168.1.1: icmp: echo request
19:24:43.240199 192.168.1.1 > 192.168.1.10: icmp: echo reply
19:24:44.258823 192.168.1.10 > 192.168.1.1: icmp: echo request
19:24:44.259219 192.168.1.1 > 192.168.1.10: icmp: echo reply
19:24:45.268839 192.168.1.10 > 192.168.1.1: icmp: echo request
19:24:45.269238 192.168.1.1 > 192.168.1.10: icmp: echo reply
6 packets received by filter
0 packets dropped by kernel
130
NWA/WAC Series CLI Reference Guide
Chapter 25 Maintenance Tools
Router# packet-trace interface br0 ip-proto icmp file extension-filter and src h ost 192.168.105.133 and dst host 192.168.105.40 -s 500 -n tcpdump: listening on br0
07:26:51.731558 192.168.105.133 > 192.168.105.40: icmp: echo request (DF)
07:26:52.742666 192.168.105.133 > 192.168.105.40: icmp: echo request (DF)
07:26:53.752774 192.168.105.133 > 192.168.105.40: icmp: echo request (DF)
07:26:54.762887 192.168.105.133 > 192.168.105.40: icmp: echo request (DF)
8 packets received by filter
0 packets dropped by kernel
Router# packet-trace interface br0 ip-proto icmp file extension-filter -s 500 -n tcpdump: listening on br0
07:24:07.898639 192.168.105.133 > 192.168.105.40: icmp: echo request (DF)
07:24:07.900450 192.168.105.40 > 192.168.105.133: icmp: echo reply
07:24:08.908749 192.168.105.133 > 192.168.105.40: icmp: echo request (DF)
07:24:08.910606 192.168.105.40 > 192.168.105.133: icmp: echo reply
8 packets received by filter
0 packets dropped by kernel
Router# traceroute www.zyxel.com
traceroute to www.zyxel.com (203.160.232.7), 30 hops max, 38 byte packets
1 172.23.37.254 3.049 ms 1.947 ms 1.979 ms
2 172.23.6.253 2.983 ms 2.961 ms 2.980 ms
3 172.23.6.1 5.991 ms 5.968 ms 6.984 ms
4 * * *
Here are maintenance tool commands that you can use in configure mode.
Table 81
Maintenance Tools Commands in Configuration Mode
COMMAND
show arp-table arp IP
mac_address
no arp
ip
DESCRIPTION
Displays the current Address Resolution Protocol table.
Edits or creates an ARP table entry.
Removes an ARP table entry.
The following example creates an ARP table entry for IP address 192.168.1.10 and MAC address
01:02:03:04:05:06. Then it shows the ARP table and finally removes the new entry.
Router# arp 192.168.1.10 01:02:03:04:05:06
Router# show arp-table
Address HWtype HWaddress Flags Mask Iface
192.168.1.10 ether 01:02:03:04:05:06 CM lan
192.168.1.254 ether 00:04:80:9B:78:00 C lan
Router# no arp 192.168.1.10
Router# show arp-table
Address HWtype HWaddress Flags Mask Iface
192.168.1.10 (incomplete) lan
192.168.1.254 ether 00:04:80:9B:78:00 C lan
NWA/WAC Series CLI Reference Guide
131
Chapter 25 Maintenance Tools
25.0.1.1 Packet Capture Command Example
The following examples show how to configure packet capture settings and perform a packet capture. First you have to check whether a packet capture is running. This example shows no other packet capture is running. Then you can also check the current packet capture settings.
Router(config)# show packet-capture status capture status: off
Router(config)#
Router(config)# show packet-capture config iface: lan ip-version: any proto-type: any host-port: 0 host-ip: any file-suffix: lan-packet-capture snaplen: 1500 duration: 0 file-size: 1000
Exit the sub-command mode and have the NWA/WAC capture packets according to the settings you just configured.
Router(packet-capture)# exit
Router(config)# packet-capture activate
Router(config)#
Manually stop the running packet capturing.
Router(config)# no packet-capture activate
Router(config)#
Check current packet capture status and list all packet captures the NWA/WAC has performed.
Router(config)# show packet-capture status capture status: off
Router(config)# dir /packet_trace
File Name Size Modified Time
=========================================================================== lan-packet-capture.cap 575160 2009-11-24 09:06:59
Router(config)#
You can use FTP to download a capture file. Open and study it using a packet analyzer tool (for example, Ethereal or Wireshark).
132
NWA/WAC Series CLI Reference Guide
C
H A P T E R
2 6
Watchdog Timer
This chapter provides information about the NWA/WAC’s watchdog timers.
26.1 Hardware Watchdog Timer
The hardware watchdog has the system restart if the hardware fails.
The hardware-watchdog-timer commands are for support engineers.
It is recommended that you not modify the hardware watchdog timer settings.
Table 82
hardware-watchdog-timer Commands
COMMAND
[no] hardware-watchdog-timer <4..37> show hardware-watchdog-timer status
DESCRIPTION
Sets how long the system’s hardware can be unresponsive before resetting. The no
command turns the timer off.
Displays the settings of the hardware watchdog timer.
26.2 Software Watchdog Timer
The software watchdog has the system restart if the core firmware fails.
The software-watchdog-timer commands are for support engineers.
It is recommended that you not modify the software watchdog timer settings.
Table 83
software-watchdog-timer Commands
COMMAND
[no] software-watchdog-timer <10..600> show software-watchdog-timer status show software-watchdog-timer log
DESCRIPTION
Sets how long the system’s core firmware can be unresponsive before resetting. The no
command turns the timer off.
Displays the settings of the software watchdog timer.
Displays a log of when the software watchdog timer took effect.
133
NWA/WAC Series CLI Reference Guide
Chapter 26 Watchdog Timer
26.3 Application Watchdog
The application watchdog has the system restart a process that fails. These are the app-watchdog commands.Use the configure terminal
command to enter the configuration mode to be able to use these commands.
Table 84
app-watchdog Commands
COMMAND
[no] app-watch-dog activate
[no] app-watch-dog consoleprint {always|once}
[no] app-watch-dog interval
<5..60>
[no] app-watch-dog retry-count
<1..5>
[no] app-watch-dog alert
[no] app-watch-dog diskthreshold min <1..100> max
<1..100>
[no] app-watch-dog memthreshold min
threshold_min
max
threshold_max
show app-watch-dog config show app-watch-dog monitorlist
DESCRIPTION
Turns the application watchdog timer on or off.
Display debug messages on the console (every time they occur or once). The
no command changes the setting back to the default.
Sets how frequently (in seconds) the NWA/WAC checks the system processes. The no
command changes the setting back to the default.
Set how many times the NWA/WAC is to re-check a process before considering it failed. The no
command changes the setting back to the default.
Has the NWA/WAC send an alert the user when the system is out of memory or disk space.
Sets the percentage thresholds for sending a disk usage alert. The NWA/WAC starts sending alerts when disk usage exceeds the maximum (the second threshold you enter). The NWA/WAC stops sending alerts when the disk usage drops back below the minimum threshold (the first threshold you enter). The no
command changes the setting back to the default.
Sets the percentage thresholds for sending a memory usage alert. The NWA/WAC starts sending alerts when memory usage exceeds the maximum (the second threshold you enter). The NWA/WAC stops sending alerts when the memory usage drops back below the minimum threshold (the first threshold you enter). The no command changes the setting back to the default.
Displays the application watchdog timer settings.
Display the list of applications that the application watchdog is monitoring.
26.3.1 Application Watchdog Commands Example
The following example displays the application watchdog configuration and lists the processes that the application watchdog is monitoring.
Router(config)# show app-watch-dog monitor-list
#app_name min_process_count max_process_count(negative integer means unlimited) uamd 1 -1 policyd 1 -1 classify 1 -1 resd 1 -1 zyshd_wd 1 -1 zylogd 1 -1 syslog-ng 1 -1 zylogger 1 -1 ddns_had 1 -1 wdtd 1 -1 link_updown 1 -1 fauthd 1 -1 signal_wrapper 1 -1 capwap_srv 1 1 capwap_client 1 -1
Router(config)#
134
NWA/WAC Series CLI Reference Guide
List of Commands (Alphabetical)
List of Commands (Alphabetical)
This section lists the commands and sub-commands in alphabetical order. Commands and subcommands appear at the same level.
................................................ 55
................................................ 55
profile-name
} local ............................................ 95
[no] aaa authentication default
member
1 [
member2
] [
member3
] [
member4
] ................... 96
profile-name
.................................................... 95
profile-name member
1 [
member2
] [
member3
] [
member4
] .............. 96
group-name
..................................................... 90
group-name
................................................... 91
................................................. 93
[no] activate .......................................................................... 119
[no] activate ........................................................................... 46
[no] activate ........................................................................... 51
[no] activate ........................................................................... 54
[no] activate ........................................................................... 65
[no] activate ........................................................................... 68
[no] ampdu .............................................................................. 51
[no] amsdu .............................................................................. 52
[no] antenna sw-control enable ......................................................... 126
[no] app-watch-dog activate ............................................................ 134
[no] app-watch-dog alert ............................................................... 134
[no] app-watch-dog console-print {always|once} ......................................... 134
[no] app-watch-dog disk-threshold min <1..100> max <1..100> ............................ 134
[no] app-watch-dog interval <5..60> .................................................... 134
[no] app-watch-dog mem-threshold min
threshold_min
max
threshold_max
................... 134
[no] app-watch-dog retry-count <1..5> .................................................. 134
[no] block-ack .......................................................................... 52
[no] block-intra ........................................................................ 57
[no] clock daylight-saving .............................................................. 79
[no] clock saving-interval begin {apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep}
{1|2|3|4|last} {fri|mon|sat|sun|thu|tue|wed}
end
{apr|aug|dec|feb|jan|jul|jun|mar|may|nov|oct|sep} {1|2|3|4|last}
{fri|mon|sat|sun|thu|tue|wed}
hh:mm
offset ........................................ 79
hh:mm
} ......................................................... 79
[no] connectivity-check continuous-log activate ........................................ 112
............................................................. 79
ap_mac
..................................................................... 68
[no] ctsrts <0..2347> ................................................................... 52
............................................................ 34
[no] disable-dfs-switch .................................................................52
........................................................... 78
[no] dot11n-disable-coexistence ......................................................... 53
[no] dot11w ............................................................................. 59
[no] dot1x-eap .......................................................................... 59
[no] downstream <0..1048576> ............................................................ 34
[no] duplex <full | half> ............................................................... 37
[no] frag <256..2346> ................................................................... 53
[no] frame-capture activate ............................................................. 70
[no] hardware-watchdog-timer <4..37> ................................................... 133
[no] hide ............................................................................... 57
hostname>
................................................................ 78
NWA/WAC Series CLI Reference Guide
135
List of Commands (Alphabetical)
[no] htprotect .......................................................................... 53
config_interface
......................................................... 39
interface_name
........................................................... 34
addr netmask
............................................................ 39
[no] ip address dhcp .................................................................... 34
................................................... 39
ip subnet_mask
.......................................................... 34
fqdn w.x.y.z
................................................ 80
{
w.x.y.z
|
fqdn
} ................................. 80
[no] ip ftp server ...................................................................... 86
certificate_name
................................................ 86
[no] ip ftp server port <1..65535> ...................................................... 86
[no] ip ftp server tls-required ......................................................... 86
gateway [metric <0..15>]
................................................ 39
ip
...................................................................... 34
[no] ip helper-address .................................................................. 39
auth_method
................................................. 82
[no] ip http port <1..65535> ............................................................ 82
[no] ip http secure-port <1..65535> ..................................................... 82
[no] ip http secure-server .............................................................. 83
[no] ip http secure-server auth-client .................................................. 83
[no] ip http secure-server cert
........................................ 83
[no] ip http secure-server force-redirect ............................................... 83
[no] ip http server ..................................................................... 83
[no] ip ssh server ...................................................................... 84
certificate_name
................................................ 84
[no] ip ssh server port <1..65535> ...................................................... 84
[no] ip ssh server v1 ................................................................... 84
[no] ip telnet server ................................................................... 85
[no] ip telnet server port <1..65535> ................................................... 85
[no] item ap-sta ....................................................................... 120
[no] item ap-traffic ................................................................... 120
[no] item cpu-usage .................................................................... 120
[no] item mem-usage .................................................................... 120
[no] item port-usage ................................................................... 120
[no] item station-count ................................................................ 120
[no] item wtp-rx ....................................................................... 120
[no] item wtp-tx ....................................................................... 120
.............................................................. 57
[no] load-balancing activate ............................................................ 73
[no] load-balancing kickout ............................................................. 72
[no] logging console ................................................................... 116
.............................................. 116
[no] logging debug suppression ......................................................... 113
[no] logging debug suppression interval <10..600> ...................................... 113
[no] logging mail <1..2> ............................................................... 114
[no] logging mail <1..2> {send-log-to | send-alerts-to}
......................... 115
[no] logging mail <1..2> address {
ip
|
hostname
} ....................................... 114
[no] logging mail <1..2> authentication ................................................ 114
[no] logging mail <1..2> authentication username
username
password
password
............ 115
[no] logging mail <1..2> category
module_name
level {alert | all} ...................... 115
[no] logging mail <1..2> schedule {full | hourly} ...................................... 115
[no] logging mail <1..2> subject
............................................... 115
[no] logging mail <1..2> subject-appending {date-time | system-name} ................... 115
[no] logging syslog <1..4> ............................................................. 114
[no] logging syslog <1..4> {disable | level normal | level all} ........................ 114
[no] logging syslog <1..4> address {
ip
|
hostname
} ..................................... 114
[no] logging syslog <1..4> facility {local_1 | local_2 | local_3 | local_4 | local_5 | local_6
| local_7} ....................................................................... 114
136
NWA/WAC Series CLI Reference Guide
List of Commands (Alphabetical)
[no] logging syslog <1..4> format {cef | vrpt} ......................................... 114
[no] logging system-log suppression .................................................... 112
[no] logging system-log suppression interval <10..600> ................................. 112
mac_addr
[description
description
] ................................................. 62
mac_address
........................................................................ 63
[no] mac-auth activate .................................................................. 59
macfilterprofile
......................................................... 57
[no] mail-subject append date-time ..................................................... 120
[no] mail-subject append system-name ................................................... 120
[no] metric <0..15> ..................................................................... 35
[no] mss <536..1460> .................................................................... 35
[no] mtu <576..1500> .................................................................... 35
[no] multicast-to-unicast ............................................................... 54
[no] negotiation auto ................................................................... 37
[no] ntp ................................................................................ 79
|
w.x.y.z
} .......................................................... 79
[no] packet-capture activate ........................................................... 129
radius_server
auth-port
auth_port
............................... 89
secret
........................................................... 90
time
......................................................... 90
[no] reauth <30..30000> .................................................................60
[no] report ............................................................................ 118
[no] reset-counter ..................................................................... 121
[no] rssi-retry ......................................................................... 54
[no] rssi-thres ......................................................................... 54
[no] server alternative-cn-identifier
uid
............................................... 90
[no] server alternative-cn-identifier
uid
............................................... 92
............................................................... 90
............................................................... 92
............................................................... 90
............................................................... 92
uid
........................................................... 90
uid
........................................................... 92
description
..................................................... 91
description
..................................................... 92
description
..................................................... 93
[no] server domain-auth activate ........................................................ 91
[no] server group-attribute <1-255> ..................................................... 93
group-attribute
............................................. 91
group-attribute
............................................. 92
ad_server
.............................................................. 91
ldap_server
............................................................ 92
.......................................................... 93
secret
.................................................................. 93
password
........................................................... 91
password
........................................................... 92
port_no
................................................................ 91
port_no
................................................................ 92
time
...................................................... 91
time
...................................................... 92
[no] server ssl ......................................................................... 91
[no] server ssl ......................................................................... 92
................................................................ 93
[no] server-auth <1..2> .................................................................60
<1..2> activate ........................................................ 60
[no] shutdown ........................................................................... 35
[no] shutdown ........................................................................... 39
[no] smtp-auth activate ................................................................ 119
[no] smtp-tls activate ................................................................. 121
NWA/WAC Series CLI Reference Guide
137
List of Commands (Alphabetical)
[no] snmp-server ........................................................................ 87
community_string
{ro|rw} ..................................... 87
description
.................................................... 87
[no] snmp-server enable {informs|traps} ................................................. 87
[no] snmp-server enable traps {wireless|capwap} ......................................... 87
fqdn
|
w.x.y.z
} [
community_string
] ................................. 87
description
................................................... 88
[no] snmp-server port <1..65535> ........................................................ 88
[no] snmp-server version <v2c|v3> ....................................................... 87
[no] software-watchdog-timer <10..600> ................................................. 133
[no] speed <100,10> ..................................................................... 37
[no] ssid-schedule ...................................................................... 57
[no] upstream <0..1048576> .............................................................. 35
[no] users lockout-period <1..65535> .................................................... 43
[no] users retry-count <1..99> .......................................................... 43
[no] users retry-limit .................................................................. 43
[no] users simultaneous-logon {administration | access} enforce ......................... 43
[no] users simultaneous-logon {administration | access} limit <1..1024> ................. 43
[no] vlan-id <1..4094> .................................................................57
.................................. 63
macfilter_profile_name
...................................... 61
monitor_profile_name
.......................................... 54
radio_profile_name
.............................................. 51
security_profile_name
........................................ 58
ssid_profile_name
................................................ 56
.................................................. 64
[no] wpa2-preauth ....................................................................... 60
[no] wtp-logging console ............................................................... 117
[no] wtp-logging console category module_name level pri ................................ 117
[no] wtp-logging debug suppression ..................................................... 117
[no] wtp-logging debug suppression interval <10..600> .................................. 117
[no] wtp-logging mail mail_range category module_name level {alert | all} .............. 117
[no] wtp-logging syslog syslog_range category module_name disable ...................... 117
[no] wtp-logging syslog syslog_range category module_name level {normal | all} ......... 117
[no] wtp-logging system-log category module_name disable ............................... 117
[no] wtp-logging system-log category module_name level {normal | all } ................. 117
{mon|tue|wed|thu|fri|sat|sun} {disable | enable} <hh:mm> <hh:mm> ........................57
.......................................................... 51
................................................ 51
.......................................................... 51
.................................................. 51
profile-name-old profile-name-new
............................. 95
.......................................................... 90
group-name group-name
........................................ 90
........................................................ 92
...................................... 92
group-name
...................................................... 93
aaa group server radius rename {
}
group-name-new
.......................... 93
slot_name
chain3 {ceiling | wall} ....................................... 126
........................................................... 46
apply ................................................................................... 24
file_name.conf
[ignore-error] [rollback] ................................... 101
..................................................................... 131
atse .................................................................................... 24
wlan_band
band_mode
wlan_band_mode
................................................. 51
beacon-interval <40..1000> .............................................................. 52
cn-type {ip cn
cn_address
|fqdn cn
cn_domain_name
|mail cn
cn_email
} [ou
organizational_unit
] [o
organization
] [c
country
] key-type {rsa|dsa} keylen
key_length
num <0..99999999> password
password
ca
ca_name
url
url
; ............ 76
138
NWA/WAC Series CLI Reference Guide
List of Commands (Alphabetical)
cn-type {ip cn
cn_address
|fqdn cn
cn_domain_name
|mail cn
cn_email
} [ou
organizational_unit
] [o
organization
] [c
country
] key-type {rsa|dsa} ..
key-len
key_length
password
password
ca
ca_name
url
url
........................... 76
cn-type {ip cn
cn_address
|fqdn cn
cn_domain_name
|mail cn
cn_email
} [ou
organizational_unit
] [o
organization
] [c
country
] key-type {rsa|rsasha256|rsa-sha512|dsa|dsa-sha256} key-len
key_length
[extend-key {svr-client-ike |svrclient|svr-ike|svr|client-ike|client |ike}] ....................................... 76
name
password
password
.......................................... 76
cn-type {ip cn
cn_address
|fqdn cn
cn_domain_name
|mail cn
cn_email
} [ou
organizational_unit
] [o
organization
] [c
country
] key-type {rsa|rsasha256|rsa-sha512|dsa|dsa-sha256} key-len
key_length
[extend-key {svr-client-ike |svrclient|svr-ike|svr|client-ike|client |ike}] ....................................... 77
ca rename category {local|remote}
old_name new_name
..................................... 77
remote_certificate
........................................................ 77
| auto} ....................................... 47
<1..4094>
[tag | untag] ......................................... 48
capwap ap vlan [no] ip gateway
....................................................... 48
capwap ap vlan [no] ipv6 address
/
prefix
....................................... 48
dhcp6_profile
............................. 48
.............................................. 48
capwap ap vlan [no] ipv6 nd ra accept ................................................... 48
ip subnet_mask
| dhcp} ....................................... 47
<1..4094>
<tag|untag> ............................................ 34
...................................................................... 52
clear ................................................................................... 24
profile-name
................................................... 95
group-name
] .................................................. 90
group-name
] ................................................ 91
................................................ 93
clear logging debug buffer ............................................................. 113
clear logging system-log buffer ........................................................ 112
interface_name
] .......................................................... 118
clear wtp-logging log-buffer MAC ....................................................... 117
yyyy-mm-dd>
time <
hh:mm:ss>
................................................. 79
..................................................................... 79
copy {/cert | /conf | /idp | /packet_trace | /script | /tmp}
file_name-a.conf
{/cert | /conf |
/idp | /packet_trace | /script | /tmp}/
file_name-b.conf
.......................... 101
file_name.conf
............................................... 101
copy running-config startup-config ..................................................... 101
daily-report ........................................................................... 119
daily-report ............................................................................ 24
2.4g_channels
................................................... 53
5g_channels
..................................................... 53
dcs now ................................................................................. 71
dcs schedule <hh:mm> {mon|tue|wed|thu|fri|sat|sun} ...................................... 53
high| medium |low
}
............................................... 52
.............................................................. 52
debug (*) ............................................................................... 24
debug [cmdexec|corefile|ip |kernel|mac-id-rewrite|observer|switch |system|zyinetpkt] (*) 26
NWA/WAC Series CLI Reference Guide
139
List of Commands (Alphabetical)
delete .................................................................................. 24
delete {/cert | /conf | /idp | /packet_trace | /script | /tmp}/
file_name
............... 102
description
.................................................................39
description
.................................................................52
description
.................................................................54
description
.................................................................57
description
.................................................................58
description
.................................................................63
diag-info collect ...................................................................... 128
dir ..................................................................................... 24
{/cert | /conf | /idp | /packet_trace | /script | /tmp} ............................ 102
disable ................................................................................. 25
dot11w-op <1..2> ........................................................................ 59
........................................................... 57
.................................................................39
dtim-period <1..255> .................................................................... 52
duration <0..300> ...................................................................... 129
auth_method
} ................................................... 59
exit .................................................................................... 34
exit .................................................................................... 37
exit .................................................................................... 39
exit .................................................................................... 54
exit .................................................................................... 55
exit .................................................................................... 57
exit .................................................................................... 60
exit .................................................................................... 62
exit .................................................................................... 63
exit .................................................................................... 64
exit .................................................................................... 66
exit .................................................................................... 68
files-size <1..10000> .................................................................. 130
................................................................ 70
profile_name
> ............................................................. 130
{allow | deny} ............................................................ 61
frame-capture configure .................................................................70
ap_mac description2
......................................................... 66
group-key <30..30000> ................................................................... 59
wlan_htgi
................................................................ 53
|
profile_name
| any> .............................................. 130
host-port <0..65535> ................................................................... 130
140
NWA/WAC Series CLI Reference Guide
List of Commands (Alphabetical)
htm ..................................................................................... 25
hybrid-mode [managed | standalone] ...................................................... 48
idle <30..30000> ........................................................................ 59
|
virtual_interface_name
} ............................ 130
interface ............................................................................... 25
bridge_interface
}
user_defined_name
..................................... 34
old_user_defined_name new_user_defined_name
............................ 34
profile_name
} zone
{ALL|
profile_name
} action {accept|deny} ........................................... 80
domain_zone_name
|*} user-defined
w.x.y.z
[private | interface {
interface_name
| auto}] ............................. 80
ip dns server zone-forwarder move <1..32> to <1..32> .................................... 80
metric <0..15> ............................................................ 34
ip http secure-server cipher-suite {
cipher_algorithm
} [
cipher_algorithm
] [
cipher_algorithm
]
[
cipher_algorithm
] ................................................................ 83
ip-type {icmp | igmp | igrp | pim | ah | esp | vrrp | udp | tcp | any} ................. 130
limit-ampdu < 100..65535> ............................................................... 53
limit-amsdu <2290..4096> ................................................................ 54
load-balancing traffic level {high | low | medium} ...................................... 72
module_name
level {alert | crit | debug | emerg | error | info | notice
| warn} .......................................................................... 116
hour <0..23> minute <0..59> ................ 115
logging mail <1..2> sending_now ........................................................ 114
module_name
{disable | level normal | level all} ........... 112
........................................................ 59
lower} ................................................... 59
mac-auth case calling-station-id {upper
lower} ....................................... 59
mac-auth delimiter account {colon
|
dash
|
none} ........................................ 60
mac-auth delimiter calling-station-id {colon
|
dash
|
none} ............................ 60
....................................................................... 120
............................................................... 120
....................................................................... 120
....................................................................... 120
....................................................................... 120
....................................................................... 120
....................................................................... 120
manager ap vlan [no] ip gateway
...................................................... 36
manager ap vlan [no] ipv6 address
ipv6_addr
/
prefix
...................................... 35
dhcp6_profile
............................ 35
ipv6_addr
............................................. 35
NWA/WAC Series CLI Reference Guide
141
List of Commands (Alphabetical)
| dhcp] ..................................... 35
<1..4094>
<tag|untag> ........................................... 35
<none | wep | wpa2 | wpa2-mix>
..................................................... 59
<576..1500>
......................................................................... 39
.............................................................................. 131
.......................................... 77
................................................................... 77
ap_mac
................................................................... 66
no ip dns server rule <1..32> ........................................................... 80
no ip http secure-server cipher-suite {
cipher_algorithm
} ................................ 83
no mail-subject set .................................................................... 120
no mtu .................................................................................. 39
no packet-trace ......................................................................... 25
x
> .......................................................................... 37
ap_mac
...................................................................... 66
no smtp-port ........................................................................... 120
no snmp-server v3user username <username> ............................................... 87
no upstream ............................................................................. 39
username
.................................................................... 42
no vlan-id .............................................................................. 39
nslookup ................................................................................ 25
ntp sync ................................................................................ 79
power
...................................................................... 46
packet-capture configure ............................................................... 129
packet-trace ............................................................................ 25
interface_name
] [ip-proto {<0..255> |
protocol_name
| any}] [src-host
{
ip
|
hostname
| any}] [dst-host {
ip
|
hostname
| any}] [port {<1..65535> | any}] [file]
[duration <1..3600>] [extension-filter
filter_extension
] ......................... 129
ping .................................................................................... 25
> .................................................................. 37
psk
................................................................................. 64
psm ..................................................................................... 25
wlan_qos
............................................................................ 57
rename {/cert | /conf | /idp | /packet_trace | /script | /tmp}/
old-file_name
{/cert | /conf |
/idp | /packet_trace | /script | /tmp}/
new-file_name
............................. 102
old-file_name
/script/
new-file_name
..................................... 102
renew ................................................................................... 25
..................................................... 46
reset-counter-now ...................................................................... 121
............................................................ 66
rogue-ap containment .................................................................... 68
rogue-ap detection ...................................................................... 65
role {ap} ............................................................................... 54
radio_profile_name
....................................................... 46
run ..................................................................................... 25
file_name.zysh
............................................................. 102
...................................................................... 54
.................................................................. 55
142
NWA/WAC Series CLI Reference Guide
List of Commands (Alphabetical)
.................................................................54
schedule hour <0..23> minute <00..59> .................................................. 121
................................................................ 57
send-now ............................................................................... 121
secret
secret
......................................... 60
| tcp-timewait <1..300> | udp-connect <1..300> | ucp-deliver <1..300> | icmp <1..300> }
123 session timeout {udp-connect <1..300> | udp-deliver <1..300> | icmp <1..300>} .......... 123
setenv .................................................................................. 25
setenv-startup stop-on-error off ....................................................... 102
show .................................................................................... 25
group-name
|default} ............................................ 95
group-name
..................................................... 90
group-name
................................................... 91
................................................. 93
show antenna status .................................................................... 126
show arp-table ......................................................................... 131
show boot status ........................................................................ 31
show ca category {local|remote} [name
certificate_name
format {text|pem}] ............... 77
show ca category {local|remote} name
certificate_name
certpath .......................... 77
name
............................................................ 77
show connectivity-check continuous-log status .......................................... 112
show console ............................................................................ 79
show cpu status ......................................................................... 31
show daily-report status ............................................................... 119
show diag-info ......................................................................... 128
show fqdn ............................................................................... 78
show hardware-watchdog-timer status .................................................... 133
show hybrid-mode ........................................................................ 48
interface_name
| ethernet | vlan | all} ................................. 36
show ip ftp server status ............................................................... 86
show ip ssh server status ............................................................... 84
show ip telnet server status ............................................................ 85
NWA/WAC Series CLI Reference Guide
143
List of Commands (Alphabetical)
| bridge | vlan | ethernet | all} ................... 36
interface_name
................................................... 36
show ipv6 static address interface
interface_name
....................................... 36
show led status ......................................................................... 31
show led_locator status ................................................................ 125
show led_suppress status ............................................................... 124
show lockout-users ...................................................................... 44
show logging debug entries [priority
pri]
[category
module_name
] [srcip
ip
] [dstip
ip
] [service
service_name
] [begin <1..1024> end <1..1024>] [keyword
keyword
] .................. 113
show logging debug entries field
[begin <1..1024> end <1..1024>] ................. 113
show logging debug status .............................................................. 113
show logging entries [priority
] [category
module_name
] [srcip
ip
] [dstip
ip
] [service
service_name]
[begin <1..1024> end <1..1024>] [keyword
keyword
] .................. 112
field
[begin <1..1024> end <1..1024>] ....................... 112
show logging status console ............................................................ 116
show logging status system-log ......................................................... 112
show mac ................................................................................ 31
show manager vlan ....................................................................... 37
show mem status ......................................................................... 31
show ntp server ......................................................................... 79
show power mode ......................................................................... 31
show radius-server ...................................................................... 89
show ram-size ........................................................................... 31
wlan-macfilter-profile
] .......................................... 29
wlan-monitor-profile
] ............................................ 29
wlan-radio-profile
] .............................................. 29
wlan-security-profile
] ........................................... 29
wlan-ssid-profile
] ............................................... 29
show reference object aaa authentication [default |
] ............................ 29
show reference object ca category {local|remote} [
cert_name
] ............................ 29
show reference object username [
] ............................................... 29
interface_name
{ip | service | url}] ...................................... 118
show report status ..................................................................... 118
show rogue-ap containment list .......................................................... 68
.................................... 66
show running-config .................................................................... 102
show serial-number ...................................................................... 31
show session timeout {icmp | tcp-timewait | udp} ....................................... 123
show setenv-startup .................................................................... 102
show system uptime ...................................................................... 31
username
] ................................................................ 42
144
NWA/WAC Series CLI Reference Guide
List of Commands (Alphabetical)
username
| all | current} ................................................... 44
show version ............................................................................ 31
show wlan all .......................................................................... 126
..................................................................... 47
detail .............................................................. 47
list all sta ........................................................ 47
show wlan-l2isolation-profile {all | rule_count
| [l2isolation_profile_name]}
........... 63
show wlan-macfilter-profile {all | rule_count |
[macfilter_profile_name]
} ............... 61
show wlan-monitor-profile {all | rule_count |
[monitor_profile_name]
} .................. 54
show wlan-radio-profile {ap | monitor} {all
rule_count |
[radio_profile_name]
} ........ 51
show wlan-security-profile {all | rule_count |
[security_profile_name]
} ................. 58
show wlan-ssid-profile {all | rule_count |
} ........................56
show wlan-wds-profile {all | rule_count |
........................... 64
show wtp-logging % debug entries field { srcif|dstif|proto |time|msg|src|dst|note|pri|cat|all}
shutdown ................................................................................ 25
ip
|
hostname
} ........................................................... 119
password
password
.......................................... 119
snaplen <68..1512> ..................................................................... 130
> authentication <none|MD5|SHA> privacy <none|DES|AES> privilege <ro|rw> .................................................................87
................................................................... 70
ssid .................................................................................... 57
.................................................... 46
ssid
............................................................................... 64
subframe-ampdu <2..64> .................................................................. 53
test aaa {server|secure-server} {ad|ldap} host {
hostname
|
ipv4-address
} [host {
hostname
|
ipv4address
}] port <1..65535> base-dn
base-dn-string
[bind-dn
bind-dn-string
password
pass-
NWA/WAC Series CLI Reference Guide
145
List of Commands (Alphabetical)
word
] login-name-attribute
attribute
[alternative-login-name-attribute
attribute
] account
account-name
................................................................ 96
traceroute .............................................................................. 25
ip
|
hostname
} ............................................................. 129
ip
|
hostname
} ............................................................. 129
traffic-prioritize {tcp-ack|dns} bandwidth <0..1048576> priority <1..7> [maximize-bandwidth-
usage]; ........................................................................... 35
traffic-prioritize {tcp-ack|dns} deactivate ............................................. 35
...................................................................... 54
| console ....................................................... 44
............................................................. 57
................................................................... 39
username username
....................................................... 42
[no] description
description
.......................................... 42
[no] logon-lease-time <0..1440> ....................................... 42
[no] logon-re-auth-time <0..1440> ..................................... 42
encrypted-password <
ciphertext
> user-type {admin | guest | limited-admin | user} ............................................................................. 42
encrypted-password <
password
> ......................................... 42
logon-time-setting <default | manual> ................................. 42
nopassword user-type {admin | guest | limited-admin | user} ........... 42
password
password
user-type {admin | guest | limited-admin | user} .... 42
user-type ext-group-user .............................................. 42
|
username
........................................................ 44
<tag|untag> ............................................................ 39
wds_profile_name
............................................................ 46
wds_uplink {auto | manual bssid
} ............................................ 46
<64 | 128>
default-key
<1..4>
....................................................... 60
<open | share>
............................................................ 60
.................................................................. 60
wireless-bridge {enable | disable} ...................................................... 47
slot_name
.......................................................................... 46
wlan-l2isolation-profile rename
l2isolation_profile_name1 l2isolation_profile_name2
..... 63
macfilter_profile_name1 macfilter_profile_name2
........... 61
monitor_profile_name1 monitor_profile_name2
................. 54
radio_profile_name1 radio_profile_name2
....................... 51
security_profile_name1 security_profile_name2
.............. 58
ssid_profile_name1 ssid_profile_name2
.......................... 56
wds_profile_name1 wds_profile_name2
............................. 64
<
aes | auto
>
................................................................ 60
.......................................................... 60
write .................................................................................. 102
write ................................................................................... 25
wtp-logging mail sending_now MAC ....................................................... 117
146
NWA/WAC Series CLI Reference Guide
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Key Features
- 2.4 GHz
- 5 GHz
- Maximum data transfer rate: 300 Mbit/s
- IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n, IEEE 802.3, IEEE 802.3ab, IEEE 802.3af, IEEE 802.3at, IEEE 802.3az, IEEE 802.3u, IEEE 802.3z
- 802.1x RADIUS, EAP-TLS, EAP-TTLS, PEAP, WEP, WPA, WPA2, WPA2-PSK
- Power over Ethernet (PoE)
- Antennas quantity: 2